Data Breaches on the Rise

Updated: August 20, 2012

Data breaches have become a staple of news headlines in recent years, as more states require organizations to disclose such events to consumers

In 2003, California enacted the nation's first notice-of-security-breach law. Since then, 37 other states and the District of Columbia have followed with their own laws, according to Consumers Union. Against that backdrop, incident reports have skyrocketed. Etiolated.org , which uses data from Attrition.org , shows that 4,960 records were lost or stolen in 2002. In 2007, that number grew to 162,563,703.

on Gossels, president and CEO of SystemExperts Corp ., a security and compliance consulting firm, noted the rise in disclosures since the passage of state notification laws. "It's not clear to me that the actual number of breaches is changing, but clearly there have been some highly visible ones in the past year," he said.

Big Targets

Recent transgressions include the TJX Companies, Inc . breach, which is reckoned to be the largest ever. TJX, the parent of retail chains including TJ Maxx , announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.

Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker's ingenuity. He cited organizations that fail to encrypt data on portable devices , which can be lost or stolen. "The fundamental problem is a lack of security awareness," Johnson said. "Employees weren't aware of the risk involved, so they didn't take the appropriate precautions."

The case of HM Revenue & Customs , the United Kingdom's tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing the personal information of 25 million people. In a similar scenario, a laptop containing data on 26 million veterans was stolen in 2006 from the home of a U.S. Department of Veterans Affairs data analyst.

As for active theft, some security analysts report a rise in organized , profit-motivated attacks. Sumit Pal, executive vice president of WithumSmith+Brown Global Assurance, LLC , a security and compliance consulting firm, noted increasing activity among what he termed criminal gangs that steal personal data and sell it for $1 to $10 per record.

Marty Lindner, a senior member of the technical staff at Carnegie Mellon University's Software Engineering Institute , said attacks will continue as long as they are profitable. "There's no indication that it is becoming less profitable," he said.

The lure of a profitable hit has motivated network assailants to take an unrelenting approach. In the TJX case, for instance, the first unauthorized access took place in July 2005, with subsequent intrusions in 2005 and between mid-May 2006 and mid-January 2007, according to the company's SEC filing. "One of the things we are seeing with the TJX model is the attacker is persistent," Gossels said. "In the past … somebody was joyriding. Now, more and more, we are seeing persistent, subtle attacks."

Security Measures

Protecting data from loss or theft starts with an organization understanding what sensitive data it has and where it resides, according to security consultants. "A lot of customers don't really have a good grip on where all their sensitive data is," Johnson said. Pal also suggested that organizations classify their data according to sensitivity and educate employees on the policies and procedures for handling various kinds of data.

Another mechanism for improving security is to handle only the data that is essential to a given task. According to Johnson, organizations commonly extract data sets for processing that contain much more information than necessary. A company may take a whole Excel file rather than the relevant portions, for example. "Few organizations have policies and procedures in place to scrub the data before it is downloaded or processed," Johnson said.

Lindner pointed out that an attacker bent on identity theft needs more than a credit card number. The more personal data an enterprise collects, the more conditions become ripe for identity theft . "Don't record things you don't actually need," he said.

But while businesses should take care to follow best practices in security, consumers should also share some of the burden. "Consumers are putting a lot more trust in the companies they do business with than I think is a good idea," Lindner said. "The user/consumer is not spending a whole lot of time understanding the risk they are putting themselves into when they give any kind of personal information to a third party."

Lindner offered the example of a Web-site registration process in which a user is asked to provide his or her mother's maiden name as the answer to a "secret question." A truthful answer could help an identity thief. He recommended making up an answer and storing it in a secure manner.

"It's a balancing act," Lindner said. "Companies need to do more and consumers need to do more."

Related Categories

Featured Research

SolarWinds MSP; Digimite Technology

more
Five Cyberthreats that Slip Past Traditional Antivirus

more
The Art of Organizing and Simplifying IT Support

Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
2020 Wheelhouse Buyer’s Guide to APIs

more
2020 Security Software Buyer’s Guide

more