It's a Record Year for Data BreachesWith Four Months to go, 2008 Breaches Already Surpass 2007's With four months to go in 2008, the number of data breaches on the Identity Theft Resource Center's (www.idtheftcenter.org) Breach List has already passed the 446 breaches reported by ITRC for all of 2007.
Last Friday, the number of data breaches hit 449. ITRC's founder Linda Foley cautiously says this milestone is a little frightening, "knowing that we're four months ahead of last year." The real number of breaches reported may be even higher because of under-reporting and the inclusion of multiple companies under one breach.
The results that ITRC sees may be influenced by the recent permission to access several state attorney generals' databases on breach notification. "This access helps us to know about breaches that we (and the public at large) would not have known about otherwise," Foley says.
The ITRC's intent on making this breach information known is not to expose a company's shortcomings in information security or mistakes leading to data breaches. "We're not taking the information to turn around and say 'Naughty Naughty' to the company that was breached," she explains, but rather to help the ITRC look at more breaches, over a period of years and see more of the causes and common themes of these breaches. "The more we're able to see this, we'll know what can be done to better control them," she notes.
With research from such groups as ID Analytics, the Ponemon Institute and Verizon and ITRC's own research, data breaches are divided into two types: The malicious and the inadvertent mistake or leak of information (poor information handling). In the case of the malicious attack, "We already know that encryption and securing your network makes a difference."
The companies that have the secure networks and have the individual hard drives encrypted as well as the data in motion and at rest on servers are not being targeted.
Foley recommends that it is good corporate decision making to take this approach. "The companies that are doing this are putting a stake in the ground and are saying "You [hacker] are not taking anymore of our data."
It also behooves financial institutions to have written policies in place limiting access to sensitive information. While some companies, including financial institutions, may have limited access to data for staff, "There is the need to continue work," Foley says. "But if someone is taking computer files home to work on them over the weekend, do they need those social security numbers? Probably not."
The message from ITRC in light of the new milestone is: Breaches are happening, but they're not being taken seriously. "A couple of years ago we were saying there were 150 breaches, then 300, and it's ratcheting up here," Foley says. "Someone has to draw a line in the sand and say - enough is enough. When do we learn from history?"
Additional types of ITRC Breach Reports are available at: http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml