I’ve been looking back at the recent history of data breaches. This resource at http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm shows that of 126 private sector incidents, 40% were the result of laptop theft, and a further 30% alluding to human incompetence or insider “Malfeasance.”
For further statistical analysis of data breaches, this web site has some good data: http://etiolated.org/. The top two incidents listed in terms of number of compromised records, CardSystems and TJX were apparently the result of vulnerabilities in systems used for hosting the data. Of the rest, five out of eight had fraud or theft as the cause.
More detailed data can be found here: http://attrition.org/dataloss/dataloss.csv. If this is accurate then since records began being collated 7 years ago, more than 300million individual personal and private records may have been comprimised. That, incidentally is equal to the population of America. Of the 832 incidents catalogued,
– 42 were the result of data disposal processes
– 11 were through email
– 53 were the result of fraud
– 168 were the result of hacking
– 75 were because of lost laptops, documents, or disk drives
– 304 were because of stolen computers, stolen tapes or other media
– 125 were because of web based attacks
Only 2 incidents resulted from malware, affecting fewer than 3000 records. Nearly a quarter of all incidents are listed as being the result of “accidental” causes rather than being deliberate.
This data tells us a lot. The fact that the majority of data breaches are the result of malign causes rather than malicious intent shows us that we must tighten up technical controls over access to data, management processes around handling and access, and education around what to do with and how to dispose of data. Still, more than a quarter of breaches were the result of hacking so web security and perimeter device security remains incredibly important.
What about malware? We spend a fortune on anti-malware controls so is this data an indication that a) the controls are working and valid or b) we’re not at as much risk of having our systems compromised through malware as we think we are? Or is there a c) the extent of malware related compromise simply isn’t known?
Back to the list of incidents, in only 37 (4%) is the data known to have been recovered with a resulting criminal prosecution. That’s only 6% of the data records supposedly compromised leaving a whopping 280million records still at large…