Data breaches in 2008

Do you know how many data breaches occurred in 2008? Well, the Identity Theft Resource Center (ITRC) has come out with a list of all the reported breaches in 2008. The key word here is “reported”. For all we know this may just be the tip of the iceberg. Anyway, they have logged about 35.6 million records that were potentially compromised.

The report documents 656 instances of breaches from government entities and US based companies. Since, data breach laws vary by state, there might be a lot more breaches that have not been reported or the magnitude of the reported breaches may be lower than actual.

The highlights are that the biggest share, over 33%, of the breaches occurred at businesses, slightly over 16% occurred at government and military institutions. Another interesting point to note that slightly over 15% of the breaches was attributed to insider thefts. This is about double what it was in 2007.

Most of the breaches occurred due to improper storage and handling of data. Other reasons include stolen laptops, lost backup tapes, accidental disclosure and hacking. In most of the breaches, the data was not encrypted or protected with passwords.

All these data point to some basic problems. The most important and the most obvious one is that personnel within an organization are either not aware of or not bothered about how to handle sensitive data. This is a very serious problem, since hackers don’t have to work hard at all to steal data. In a lot of cases, data seems to have been copied into laptops, USB keys and other devices and then misplaced or stolen. Top level executives are notorious for taking work, including data, home and causing headaches for the security team. In a lot of instances, data in backup devices seems not to have been protected with encryption.

Here are some of the things that organizations can do to protect themselves and their customers’ data:

  • Create data classification levels. Map each level of classification to roles within the organization and also specify how data within each classification should be handled.
  • Train personnel on the importance of following data handling procedures.
  • Make personnel accountable for the data that they handle. This might require implementing solutions for monitoring data access and use.
  • Conduct an audit of the effectiveness of the above points by actually testing how personnel handle data.

It has to be said that these are just a small subset of what organizations can do and is a starting point. A culture of security has to be developed within the organization so that everyone realizes that they have to do their part to increase security.

2008 ITRC Breach Report