Data Theft Restrospective

1,050 views

Published on

  • Be the first to comment

  • Be the first to like this

Data Theft Restrospective

  1. 1. SSI Security Software International DATA THEFT RETROSPECTIVE SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  2. 2. SSI Security Software International INTRODUCTION Workers turned "cyber moles" and crime syndicates Key Points armed with malicious software are looting digital data from businesses as losses reportedly topped a trillion Organized and opportunistic dollars in 2008. California computer security firm data losses of $1 Trillion McAfee presented the findings in January 2009 at the Increase internal & external World Economic Forum in Davos, Switzerland, with a threats of data warning that the world's dismal financial straits are IP losses of $4.6B in 2008 exacerbating data theft woes. $600M to repair data "This report is a wake-up call because the current breeches economic crisis is poised to create a global meltdown in vital information." Insights for the first-ever worldwide study "on the security of information economies" were gathered from more than 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States. The companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last year, and spent approximately 600 million dollars repairing damage from data breaches. "Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene Spafford, a US university computer science professor who is executive director of The Center for Education and Research in Information Assurance and Security (CERIAS). "Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen." Pressure on firms to cut costs is resulting in weakened computer security measures, making them more tempting targets for information thieves. Thirty-nine percent of the CIOs in the study said they believe vital company information is more vulnerable because of current economic conditions. There has been an increase in "cyber mafia gangs" breaking into corporate databases. "Cybercriminals are increasingly targeting executives using sophisticated phishing techniques," the study states. "Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords, account numbers, or other sensitive information. Such attacks customized to harpoon specific powerful executives are often referred to as "whaling." The dour economy also raises the chances of companies being looted by employees out to supplement shrinking paychecks or improve job prospects with future employers. "An increasing number of financially challenged employees are using their corporate data access to steal vital information. As the global recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing valuable corporate data to make themselves more valuable in the job market." The study also pinpointed China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors. The following report focuses on data breaches/thefts/losses in the UK, US and Australia with compelling facts, figures and examples included. Most of organizations are quite reluctant to release information regarding their Data Loss, Theft and Breaches or are unaware of it when it does occur. But what is clear and outlined from the information that is publicly available, the scare of the problem is both large and growing. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  3. 3. SSI Security Software International DATA THEFT - 2008 WAS A GREAT YEAR GLOBALLY 2008 shows that it was not a good year for data protection, data loss and data theft. It was also a bad year for those charged with looking after our data. The ITRC (Identity Theft Resource Center), a US nonprofit and respected organization dedicated exclusively to the understanding and prevention of identity theft has completed a detailed study into data breaches in 2008. The organization has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help individual to protect data and assist companies in their activities. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of data breaches and in particular identity theft. Their report, (http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf), not unsurprisingly, showed a sharp increase in the amount of data theft in 2008. With almost a 50% rise in “reported” data thefts/breaches, solely in the US from 446 in 2007 to 656 in 2008. It was also reported to the ITRC that in the UK 35 million data records were lost or stolen and that “insider data theft” increased to 16% (almost double the 2007 figure). Sadly only a fraction of the records (2.4%) were encrypted, which is a tragedy, as it is simple way to protect the data. Let us have a closer look at the UK, the US and Australia. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  4. 4. SSI Security Software International THE UK-DATA LOSS IN 2008 2008 is the the year the public began to really hear about data loss; with numerous example of data loss throughout the year, and reports into data loss. The reports where pretty damning, and the scale of data loss was staggering, 100,000s of records lost regularly and the HMRC (Her Majesty's Revenue and Customs Ministry) losing data at around 10 items a day. Despite the huge amount of data lost in the UK, and reports from data loss elsewhere in the world, the UK government did not manage to effectively introduce policies to prevent it. 1. GOVERNMENT HMRC (Her Majesty's Revenue and Customs): A report by Kieran Poynter into the loss of 25 million records in 2007 by the HMRC states that “serious institutional deficiencies” and states that there losses were “entirely avoidable”. Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people NHS (National Health Service): • 9 NHS trust admit losing millions of records, 4 out of 5 NHS trusts lose medical records • List of NHS losses produced by the Freedom of Information Act (it’s a long article!) • 66,000 medical records lost (including names, home addresses, phone numbers and a description of the disabilities of 45,000 people, including children and pensioners) • The NHS also moved a lot of records out to other company with 300 million medical records moved out of the NHS and the patients data being shared with council MoJ (Ministry of Justice) and Home Office • MoJ lost 4 CDs containing criminal case information; the CDs were un-encrypted, giving people access to highly confidential material. • Ministry of Justice lose 5,000 records • Home Office lose 84,000 prisoner records • UK Government lost 3 million driving license records, on an un-encrypted hard drive MoD (Ministry of Defense): The MoD lost almost as much data as the NHS, with a sample of the data loss highlighted below. • The MoD lose 600,000 records, on an un-encrypted laptop • MoD admit losing 650 laptops • RAF lose 50,000 records • Army lose 1.5 million records DWP: The Department for Work and Pensions lose USB Drive and Foreign Office: FCO admits losing 10,000s of records. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  5. 5. SSI Security Software International Individuals within the government: A couple of high profile individuals lost data as well as all of the departments listed above. Hazel Blears, former Communities Secretary lost her laptop, which was un- encrypted, and “Critical Terror Files”, where left on a train. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  6. 6. SSI Security Software International PRIVATE SECTOR Below is an outline of data theft statistics posted on December 28, 2008 from different resources. Despite the variety of resources, they all say the same thing: Data theft is common, it happens regularly, and everyone knows it is going on. HSBC: HSBC did not have a good year for data loss: • HSBC lost an entire server, the data was not encrypted • HSBC lose 37,000 records, on an un-encrypted media. • HSBC, along with UAE and others also suffered a data theft from their banks Virgin: Virgin Media were censored by the ICO following their data loss 2008 Finjan Report (Finjan is a leading provider of secure web gateway solutions for the enterprise market). According to their Web Security Survey of July 2008, almost all participating organizations perceive cybercrime as a major business risk, including loss of customers, brand name damage and potential lawsuits. The survey also found that the majority of the CIOs and CSOs are more concerned about data-stealing malware entering their networks than about downtime and loss of productivity due to virus infections. In the survey, we asked organizations to answer questions about web security and cybercrime. Data theft is seen as a far greater problem than loss of productivity due to virus infections. Due to the sophistication of today’s cybercriminals and cybercrime attacks, 33% of the respondents were convinced that their organization had never been breached by malware, while 25% reported that they had been breached, with an overwhelming 42% of respondents who were not sure or could not exclude a possibility of a breach. Extract from 2008 Finjan Report Breach Possibility 42% Data breach reported 25% Healthcare patients medical records as potential target 73% Customer information at risk (Financial sector) 47% Worried about loss of employee data 54% IP and sensitive information at risk of data-theft 68% Concerned about data theft 73% Cybercrime as a major business risk 91% 0% 20% 40% 60% 80% 100% Total survey respondents amounted to 1,387 responses, 54% of which have direct involvement in IT/Security. Of this group, 21% IT personnel, 16% Security Consultants, 11% IT/Security Directors and Managers and 6% CIOs/CSOs. The two largest industry sectors represented are banking 15% and Government 14%. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  7. 7. SSI Security Software International 2. SME SECTOR Small to medium sized businesses (SMEs) are failing to acknowledge and prevent data theft, new research shows. A study, conducted by security software firm Prefix IT, sought the views of 1000 UK workers and found that half of SME managers say preventing data theft is not ‘even on the radar', with 29 percent of all other managers saying the issue is not recognised at board level. The report also revealed that workers leaving the company posed the biggest threat to security, with 65 percent admitting considering taking data, such as sales leads, database information, business contacts and sensitive documents, and nearly two thirds admitting to past stealing. This number rose to nearly three quarters of those surveyed in the 45-54 age group. Overall 36 per cent revealed they might download company data to help in a new job. However, only 7 per cent of managers surveyed believe their organization has been affected by data theft. But, nearly a third of managers said that defending against data theft is a ‘key priority for the business'. This number dropped to 22 per cent for small SMEs (51-250 workers) and 28 per cent for medium-sized SMEs (251-500 employees). Graeme Pitts-Drake, CEO of Prefix IT, said: "Whilst trust in staff is laudable, it is professionally negligent not to protect company assets appropriately through policy and technical means. Failing to communicate with staff about unacceptable activities is tantamount to endorsing theft." According to Pitts-Drake, despite the limited resources available to SMEs, this is something they should be concerned about. "Whether it is a large or small organization, data theft is a massive problem," he said. "It is happening but managers don't realise it is happening - they are burying their heads in the sand. Smaller businesses have more of a family mentality and a culture of trust, but data theft is going on around them and they should be very worried," he added. In an earlier study, conducted in September, 78 per cent of the workforce surveyed said they owned a personal device capable of downloading and storing data. Moreover, it found that 30 per cent of workers believe company information is rightfully theirs to take. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  8. 8. SSI Security Software International THE US – DATA BREACHES IN 2008 ITRC sources (http://www.idtheftcenter.org/) Key Points Information management is critically important to all Reports of data breaches in the U.S. rose of us - as employees and consumers. For that almost 50% in 2008 reason, the Identity Theft Resource Center has been Only 2.4% of all breaches involved data tracking security breaches since 2005, looking for where encryption or other strong patterns, new trends and any information that may protective measures were in place better help us protect data and assist companies in their activities. Only 8.5% involved password protection... Malware attacks, hacking Insider theft accounted for nearly 30% of The ITRC breach list is a compilation of data breaches breaches confirmed by various media sources and/or notification lists from state governmental Insider theft more than doubled between agencies. 2007 and 2008 This list is updated daily, and published each Monday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach. There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis. It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods: • Data on the Move • Accidental Exposure • Insider Theft • Subcontractors • Hacking SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  9. 9. SSI Security Software International Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source. As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, and data breaches are being more frequently publicized. US Security Breaches 2008 Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest. According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords. The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies. It is important to note that the number of breaches reported does not reflect the number of companies affected. The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as www.databreaches.net (aka Pogowasright), privacy.net, and www.datalossdb.org. To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  10. 10. SSI Security Software International The report by ID Analytics states that those who have had their data stolen deliberately, e.g by theft from an employee with access to the data, are 12 times more likely to be victims of fraud than those who have their data lost by accident (e.g missing laptop). This, while not surprising, is a figure worth knowing when managing security risks. According to Privacy Rights Clearinghouse: More than 244 million pieces of data have been lost or stolen in 2008 up to November. According to the Identify Theft Centre there have been 449 separate incidents of data breaches, in the US, in the first 9 months of 2008. This is more than the whole of 2007. The ITC 2008 Reports that over 40% of the incidents of data breaches/data theft the number of records lost or exposed are not reported or fully disclosed. Data Theft/Data Breaches – by industry: Data Theft/Data Breaches – by cause: Banking / Hacking / Finance Other External 12% 18% 14% Business / Government Commerce / Military Sub 37% 15% contractor 11% Lost Laptop / Media 23% Healthcare / Medical 16% Accidental 16% Theft by Educational employee 20% 18% SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  11. 11. SSI Security Software International AUSTRALIA – 2008 DATA BREACHES (Source SC Magazine Aug 11, 2009) Two in three Australian organizations experienced a serious data breach in the last twelve months, according to a survey by the Ponemon Institute. The Institute, commissioned by data encryption company PGP, paid 482 IT security professionals in Australia to answer questions around the protection of their data. Some 69 percent of respondents said they experienced at least one data breach in the last 12 months, up from 56 percent in 2008. One in four of those companies that experienced a data breach suffered five or more breaches in the 12 months, up 22 percent on 2008. Of those organizations that did admit to losing data, 65 percent chose not to inform the public - a figure the report's authors said was "sure to add to the demand for Australia to adopt data breach notification laws similar to those in the United States." The Federal Government has spent the last few months reviewing privacy laws, the first draft of which was due to be released to the public within a week. But no timeline has been set for the introduction of mandatory data disclosure laws, as recommended by the Australian Law Reform Commission and the Office of the Privacy Commissioner. In the interim, the Office of the Privacy Commissioner has produced a voluntary guide to managing data breaches. The survey also revealed some interesting data on what motivates organizations to protect their data. Of those organizations that use data encryption technology to protect against the leak of confidential data, only 15 percent said they did so for regulatory reasons (citing the Federal Privacy Act, National Privacy Principles and PCI DSS requirements) whereas 70 per cent used encryption to protect their brand and reputation. Mandatory data loss laws could curb security breaches More than half of Australasian SMEs claim to have experienced security breaches. Releasing Symantec's 2009 Global Small and Mid-sized Business (SMB) Security and Storage survey in Australia and New Zealand today, executives for the security vendor said security breaches included instances where information has been subject to unauthorized access, often where the data is lost, stolen, or hacked. Steve Martin, SMB director at Symantec told iTnews that, by contrast, only 29 per cent of companies in the US and 27 per cent of SMBs in Canada experienced breaches. "There are a couple of reasons for those differences," he said. "Some of these companies don't have their own IT staff therefore they don't have the knowledge or skills to keep their security up-to-date. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  12. 12. SSI Security Software International "Also, companies in the US are governed by data mandatory disclosure law, which is in place in several states across the country." Martin said the law required an organization to inform their customers of any loss of their personal information. The law gave organizations a myopic view on IT security and forced organizations to invest in the right protection. However in Australia there are no such mandatory disclosures and therefore data protection isn't in the forefront of an SMB's mind. "The current privacy laws in this region were written 23 years ago by Justice Michael Kirby when there was no Internet or mobile phone," he said. "The Australian Law Reform Commission is looking at some three hundred changes to local privacy laws, which includes data disclosure. The proposed changes are currently with Senator John Faulkner and there should be results by the end of this year, so organizations can move forward." Symantec 2009 Global SMB Security and Storage Survey drew responses from 1,425 small and medium businesses in 17 countries with 100 responses from Australia (50) and New Zealand (50). The size of companies of respondents ranged from 10 to 500 employees. SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  13. 13. SSI Security Software International CONCLUSION Data theft is a growing problem primarily perpetrated by office workers with access to technology such as desktop computers and hand-held devices capable of storing digital information such as flash drives, iPods and even digital cameras. Since employees often spend a considerable amount of time developing contacts and confidential and copyrighted information for the company they work for they often feel they have some right to the information and are inclined to copy and/or delete part of it when they leave the company, or misuse it while they are still in employment. While most organizations have implemented firewalls and intrusion-detection systems very few take into account the threat from the average employee that copies proprietary data for personal gain or use by another company. A common scenario is where a sales person makes a copy of the contact database for use in their next job. Typically this is a clear violation of their terms of employment. The damage caused by data theft can be considerable with today's ability to transmit very large files via e-mail, web pages, USB devices, DVD storage and other hand-held devices. Removable media devices are getting smaller with increased hard drive capacity, and activities such as podslurping are becoming more and more common. It is now possible to store 80 GB of data on a device that will fit in an employee's pocket, data that could contribute to the downfall of a business. Is there an answer to data loss, theft and breaches? As Mark Pullen of RSA has outlined in September 2008, best practices need to be in place by businesses to avoid enterprise data loss, such as: Understand what data is most sensitive to the business. Know exactly where the most sensitive data resides. Understand the origin and nature of your risks: • Do you have sensitive data in databases? • If so, in which database tables, which columns or fields? • Do you have sensitive data in file shares, which folders and files? • Do you have high-risk data on laptops, whose laptops? • Is your intellectual properly unwittingly exposed through custom-built applications? • Are your unannounced company financial reports illicitly finding their way onto laptops, PDAs, and USB drives? Select the appropriate controls based on policy, risk, and where sensitive data resides. • Manage security centrally • Audit security to constantly improve SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company
  14. 14. SSI Security Software International CONTACTS SSI Pacific Australia SSI Pacific New Zealand SSI Pacific Hong Kong Level 27, 101 Collins Street Level 16, Vodafone on the Levels 25 & 30, Bank of Melbourne, VIC Quay China Tower Tel: + (61) 3 9 653 9163 157 Lambton Quay, 1 Garden Road, CENTRAL Fax: + (61) 3 9 653 9307 Wellington 6140 Hong Kong, China New Zealand Tel: +852 (2251) 8795 Tel: + (64) 4 460 5263 Fax: +852 (2251) 1618 Fax: + (64) 4 460 5252 REFERENCES www.idtheftcenter.org www.Myidscore.com www.finjan.com www.cerias.purdue.edu www.datalossdb.org www.databreaches.net www.ponemon.org www.laptoptheft.org www.eweek.com www.techworld.com.au www.mcafee.com www.rsa.com www.crn.com.au www.ironkey.com SSI © copyright. All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written express authorization of SSI or one of its affiliate company

×