Network News

X My Profile
View More Activity

Malicious Attacks Most Blamed in '09 Data Breaches

Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit.

The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008.

Some 44 states and the District of Columbia now have laws requiring entities that experience a breach to publicly disclose that fact. Yet, few breached entities report having done anything to safeguard data in the event that it is lost or stolen. The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology.

"It is a dual problem here undeterred by law or common sense," said ITRC co-founder Linda Foley. "You would think if all these organizations have to notify, that they would take some steps to make sure their data doesn't get exposed in the first place."

While the center found the overall number of breaches is down significantly from the same period last year (342), that doesn't mean that fewer businesses and consumers are being affected by data breaches (around 12 million so far this year). Foley said fewer than half of the entities that disclosed a breach so far this year disclosed how many total victims there were.

The center found that 14 percent of breaches this year were due to data contained on lost or stolen digital media, such as a laptop or USB thumb drive., while 11.6 percent of the breaches involved personal data that was inadvertently exposed or published.

Please join me today at 11 a.m. ET for Security Fix Live, when Yours Truly endeavors to answer your questions about all things tech, security and privacy related. If you can't join us then, drop a question in the hopper now. The transcript will be archived here.

By Brian Krebs  |  June 19, 2009; 10:35 AM ET
Categories:  Fraud , From the Bunker , New Patches  | Tags: data breach 2009, id theft resource center  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: iPhone 3.0 Includes 46 Security Updates
Next: Web Fraud 2.0: Franchising Cyber Crime

Comments

Most surveys report that malware causes breaches account for less than 20% of incidents, attributing most losses to lost/stolen devices and insider issues. It seems to me that discovering sophisticated malware on an employee's computer poses daunting possibilities that can actually dwarf that of a stolen laptop or thumbdrive. That is because the pervasiveness of the breach is difficult to gauge. I wrote about that in more detail here:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/pc-malware-costly-security-breach-disclosures

In the above post, I probably should have made greater mention of infecting commonly used types of documents such as MS Office, Acrobat, etc., to spread malware to other endpoints in an organization:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/documents-from-known-people-may-infect-pc-malware

In short, a malware breach can be like peeling an onion with a seemingly endless number of layers when trying to assess the damage and uncover secondary breaches. The magnitude of reaction costs helps emphasize the importance of investing in malware prevention, something that stops zero-day attacks that elude existing security software, but without stopping end-user productivity or IT personnel work on other matters.

Eirik Iverson

Posted by: eiverson1 | June 22, 2009 3:22 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company