Data Breaches on the Rise

Updated: April 30, 2009

Data breaches have become a staple of news headlines in recent years, as more states require organizations to disclose such events to consumers

In 2003, California enacted the nation's first notice-of-security-breach law. Since then, 37 other states and the District of Columbia have followed with their own laws, according to Consumers Union. Against that backdrop, incident reports have skyrocketed. , which uses data from , shows that 4,960 records were lost or stolen in 2002. In 2007, that number grew to 162,563,703.

on Gossels, president and CEO of SystemExperts Corp ., a security and compliance consulting firm, noted the rise in disclosures since the passage of state notification laws. "It's not clear to me that the actual number of breaches is changing, but clearly there have been some highly visible ones in the past year," he said.

Big Targets

Recent transgressions include the TJX Companies, Inc . breach, which is reckoned to be the largest ever. TJX, the parent of retail chains including TJ Maxx , announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.

Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker's ingenuity. He cited organizations that fail to encrypt data on portable devices , which can be lost or stolen. "The fundamental problem is a lack of security awareness," Johnson said. "Employees weren't aware of the risk involved, so they didn't take the appropriate precautions."

The case of HM Revenue & Customs , the United Kingdom's tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing the personal information of 25 million people. In a similar scenario, a laptop containing data on 26 million veterans was stolen in 2006 from the home of a U.S. Department of Veterans Affairs data analyst.

As for active theft, some security analysts report a rise in organized , profit-motivated attacks. Sumit Pal, executive vice president of WithumSmith+Brown Global Assurance, LLC , a security and compliance consulting firm, noted increasing activity among what he termed criminal gangs that steal personal data and sell it for $1 to $10 per record.

Marty Lindner, a senior member of the technical staff at Carnegie Mellon University's Software Engineering Institute , said attacks will continue as long as they are profitable. "There's no indication that it is becoming less profitable," he said.

The lure of a profitable hit has motivated network assailants to take an unrelenting approach. In the TJX case, for instance, the first unauthorized access took place in July 2005, with subsequent intrusions in 2005 and between mid-May 2006 and mid-January 2007, according to the company's SEC filing. "One of the things we are seeing with the TJX model is the attacker is persistent," Gossels said. "In the past … somebody was joyriding. Now, more and more, we are seeing persistent, subtle attacks."

Security Measures

Protecting data from loss or theft starts with an organization understanding what sensitive data it has and where it resides, according to security consultants. "A lot of customers don't really have a good grip on where all their sensitive data is," Johnson said. Pal also suggested that organizations classify their data according to sensitivity and educate employees on the policies and procedures for handling various kinds of data.

Another mechanism for improving security is to handle only the data that is essential to a given task. According to Johnson, organizations commonly extract data sets for processing that contain much more information than necessary. A company may take a whole Excel file rather than the relevant portions, for example. "Few organizations have policies and procedures in place to scrub the data before it is downloaded or processed," Johnson said.

Lindner pointed out that an attacker bent on identity theft needs more than a credit card number. The more personal data an enterprise collects, the more conditions become ripe for identity theft . "Don't record things you don't actually need," he said.

But while businesses should take care to follow best practices in security, consumers should also share some of the burden. "Consumers are putting a lot more trust in the companies they do business with than I think is a good idea," Lindner said. "The user/consumer is not spending a whole lot of time understanding the risk they are putting themselves into when they give any kind of personal information to a third party."

Lindner offered the example of a Web-site registration process in which a user is asked to provide his or her mother's maiden name as the answer to a "secret question." A truthful answer could help an identity thief. He recommended making up an answer and storing it in a secure manner.

"It's a balancing act," Lindner said. "Companies need to do more and consumers need to do more."

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more