Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/25/2009
03:31 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Consumer Data Losses 100 Times Worse Than Thought: Report

Cost of sensitive consumer information that is lost, stolen, or inappropriately accessed exceeds $1 trillion annually, according to report from J. Campana & Associates

Madison, WI (PRWEB) February 25, 2009 -- Public opinion and debate have been intense over government economic recovery spending, estimated to exceed one trillion dollars. Yet few appreciate that the cost of sensitive consumer information that is lost, stolen or inappropriately accessed exceeds a trillion dollars annually.

Dr. Joseph Campana, author of a new data breach study, said, "We pay for information losses in higher prices, higher taxes, requests for more donations as well as through the personal inconveniences and costs of dealing with identity theft and privacy violations when our information is misused."

The three major sectors -- private, public and volunteer -- were considered in the comprehensive data breach study released today by J. Campana & Associates (http://www.JCampana.com). Breaches were analyzed by sector and subsector with respect to sector populations, breach incidents, profiles compromised, breach types, sources of breaches, and other key characteristics.

The Private Sector makes up 94% of all enterprises in the U.S., and the study reports it accounts for 37% of the reported incidents. In contrast, the Public Sector composes less than 1% of all U.S. enterprises yet it accounts for 55% of all breaches.

According to the study, the disparity can be explained by examining who is reporting the data breaches. Generally, large and medium size organizations are doing almost all of the reporting. Few reports are made by small organizations.

For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years. Either most small organizations do not handle sensitive information, they have exemplary information security or they are not detecting or reporting data breaches. Campana shared an anecdote, "A town manager told me if it comes down to information security or potholes, I'm filling potholes because that's what taxpayers call me about, fixing potholes will get me re-elected." Mega Breaches accounted for less than 2.5% of the 1,100+ breaches considered over study period. They accounted for 85% (230 million) of all the profiles compromised. Campana says, "These are alarming but scarce events, which should not be viewed as average data breaches by the public. We need to be as or more concerned about what an average breach looks like and how to prevent them. There are more of them, and they can and will go undetected unless they are addressed."

The major breach type in most sectors and subsectors involved laptop computers. Hacking, which ranked third among all sectors, was the leading breach type in the Retail Industry and in the University/College Group. Web access to sensitive information ranked fourth and was prevalent in the Public Sector, especially in the County Government Subsector that continues to allow public Web access to land records containing unredacted personal information such as Social Security Numbers (http://www.prweb.com/releases/2009/02/prweb2105264.htm).

Over 60% of all breaches involve the loss, theft and improper disposal of computers and related devices and media. Over 20% involve Web access to sensitive information and improper handling of paper documents. "These breach types together compose 85% of the reported incidents and could be sharply reduced or eliminated by using data encryption and redaction technologies," according to Campana. He also goes on to say, "Breaches by mishandling documents are grossly under-reported. Many wrongly omit paper records from information security considerations." Data breaches that are reported may be more of a tribute to compliance than to negligence. Organizations that report data breaches are frequently demonized. Yet, negligent organizations are not safeguarding, detecting or reporting breaches. This dichotomy discourages reporting and compliance by responsible enterprises.

Campana said, "Everyone must realize that even with a model privacy and information security best practices program and the most current security technology, data breaches will continue to occur by accidental or malicious actions of insiders or outsiders."

Privacy, security and risk management professionals can use the results of the new study to assess and prioritize risks in their organizations based on those determined to be the most probable historical risks in the study for sectors, subsectors and industry groups. The report, "Data Breach Risk Factors 2005-2008: An Information Security Risk Management Resource Guide for Security and Risk Professionals" is available from J. Campana & Associates LLC (http://www.JCampana.com). The color report contains 55 pages (15,000 words) and 40 figures and tables.

About the Author: Joseph E. Campana, Ph.D. is a Privacy and Information Security Professional and the principal of J. Campana & Associates LLC. Dr. Campana is the author of the book, "Privacy MakeOver: The Essential Guide to Best Practices" (http://www.PrivacyMakeOver.com) and several reports and white papers including Identity Theft: The Business Time Bomb. Campana has over 30 years of research and research management experience. He has been awarded research fellowships at the Johns Hopkins University School of Medicine, the National Research Council, NATO and the University of Wisconsin. Campana has published over 50 research papers in refereed journals and has served as a guest editor for several professional journals. Joe Campana also authors a daily blog on identity theft, privacy and information security (http://www.PrivacyDiary.com).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.