Uploaded byjkveragas
PDF, PPTX407 views

US Data Breaches Analysis

This document analyzes reported data breaches in the United States from 2005 to 2009 based on information from privacyrights.com. Some key findings include: - There were 1,340 reported incidents affecting over 457 million records. - The top root causes were network security (121.88 million records), viruses (100.07 million), and disposal of hardware (76.30 million). - The top industries impacted were banking (174.68 million records), government (federal and state combined over 200 million records), and retail (53.11 million records). - Emerging threats like physical security, insiders, and viruses showed an increasing trend from 2009 to early 2010.

Embed presentation

Download as PDF, PPTX
Analysis of US Data Breaches 2005 - 2009 Compiled and Presented by: John E. Kveragas, Jr., CPA, CISA “Learn from the mistakes of others. You can’t live long enough to make them all yourself.” - Eleanor Roosevelt
Agenda  Background  Analysis  Could have, Should have, Would have  Q&A  Appendix A– Definition of Root Causes  Appendix B – Definition of Industries
Background  Source: www.privacyrights.com  Time Period: January 2005 – December 2009  Scope: Reported data breaches impacting customers and employees in the US.  Purpose: To utilize available information to give Audit and Security assurance that time and resources are being wisely spent on securing and reviewing the real risks to our most prized organizational asset.  Assumptions:  Actual records compromised are far greater than what has been reported. Some organizations had no idea what records where impacted or how many.  Events reported are a representative sample of all data breach incidents. Therefore we can use this data to forecast IT risk areas and emerging trends.  Constraints:  Hacking incidents where the exploit was not explained had the Root Cause classified as Network Security. This Root Cause also covers; default/blank passwords, unpatched devices, misconfigured devices, default settings, etc.  Physical Security category covers stolen computers and hard drives. This excludes Laptops, PDAs, and portable media.
Analysis – Reported US Data Breaches From January 1, 2005 – December 31, 2009 By the Numbers:  1,340 reported incidents.  324 of the 1,340 reported incidents did not know how many records were affected.  40 of the 324 were Banks.  457,016,826 known customer/employee records affected.  US Census estimated US population at 305,000,000 in 2009.  1,219 organizations had data breaches.  74 of the 1,219 organizations had multiple data breaches. Baseball is ninety percent mental and the other half is physical. - Yogi Berra
Reported US Data Breaches by Year Percent of Percent of Total Year Incidents Total Nbr. of Records Incidents Records 2005 117 8.73% 11.98% 54,771,890 2006 335 25% 16.57% 75,744,316 2007 328 24.48% 15.47% 70,684,438 2008 320 23.88% 7.62% 34,824,336 2009 240 17.91% 48.36%* 220,991,846* Totals 1,340 100% 100% 457,016,826 * A single incident in 2009 was responsible for 100,000,000 records. Due to a single event, or a few events, skewing the number of records, it is more important to look at the number of incidents reported for a year to year comparison than the number of records.
The 5 Largest Data Breaches Year Industry Root Cause Record Count 2005 Banking Network Security 40,000,000 2007 Retail Network Security 45,700,000 2009 Banking Virus 100,000,000 2009 Government -Federal Disposal of hardware 76,000,000 2009 eCommerce - Retail Web coding error 32,000,000 Total Records…………………………………………… 293,700,000 These 5 incidents represent 64% of the reported data records compromised during the 5 year period.
Root Cause – Sorted by Incident Count Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Laptop 37,441,939 259 Paper 4,696,608 147 Physical Security 9,179,139 147 Web posting error 4,533,405 143 Insider 25,352,839 89 Portable Media 26,677,497 83 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Backup Tapes 9,266,569 29 Unknown 5,598,145 20 Virus 100,073,262 14 Web coding error 32,169,060 12 Disposal of hardware 76,296,770 12 Skimming 1,821 11 Peer to Peer 11,485 9 Social Engineering 435,000 4 Fax error 80 2 Programming Error (Backend) 123 2 Public PC 117,000 2 Wireless ? 2 PDA 851 1 Phishing 4,000 1 SmartPhone 3,200 1 Totals 457,016,826 1,340
Root Cause – Sorted by Incident Count Top 10 Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Laptop 37,441,939 259 Paper 4,696,608 147 Physical Security 9,179,139 147 Web posting error 4,533,405 143 Insider 25,352,839 89 Portable Media 26,677,497 83 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Backup Tapes 9,266,569 29 The Top ten root causes with the highest number of incidents represents 93% of the total number of incidents. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Root Cause – Sorted by Nbr. of Records Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Virus 100,073,262 14 Disposal of hardware 76,296,770 12 Laptop 37,441,939 259 Web coding error 32,169,060 12 Portable Media 26,677,497 83 Insider 25,352,839 89 Backup Tapes 9,266,569 29 Physical Security 9,179,139 147 Unknown 5,598,145 20 Paper 4,696,608 147 Web posting error 4,533,405 143 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Social Engineering 435,000 4 Public PC 117,000 2 Peer to Peer 11,485 9 Phishing 4,000 1 SmartPhone 3,200 1 Skimming 1,821 11 PDA 851 1 Programming Error (Backend) 123 2 Fax error 80 2 Wireless ? 2 Totals 457,016,826 1,340
Root Cause – Sorted by Nbr. of Records Top 10 Nbr. of Root Cause Incidents Records Network Security 121,881,159 270 Virus 100,073,262 14 Disposal of hardware 76,296,770 12 Laptop 37,441,939 259 Web coding error 32,169,060 12 Portable Media 26,677,497 83 Insider 25,352,839 89 Backup Tapes 9,266,569 29 Physical Security 9,179,139 147 Unknown 5,598,145 20 The Top ten root causes with the highest number of records represents 97% of the total number of records affected. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Top 10: Industry – Sorted by Incident Count % of Total Industry Nbr. of Records Incidents Incidents Education 9,136,254 379 28% Medical 7,711,609 201 15% Government - State 14,993,503 136 10% Banking 174,682,458 90 7% Government - Local 10,166,092 86 6% Government - Federal 107,221,847 84 6% Retail 53,111,224 72 5% Other 2,153,348 44 3% Insurance 4,206,121 35 3% Accounting/Tax/Audit/Payroll 1,565,290 30 2% *Total of 1,340 reported incidents. Footnote 1: Industries in red are governed by Federal Law over data privacy, i.e HIPPA for Medical and GLBA for Banking. Footnote 2: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Top 10: Industry – Sorted by Nbr. of Records Industry Incidents Nbr. Of Records % of Total Records Banking 90 174,682,458 38% Government -Federal 84 107,221,847 23% Retail 72 53,111,224 12% eCommerce - Retail 9 49,784,327 11% Government -State 136 14,993,503 3% Government - Local 86 10,166,092 2% Education 379 9,136,254 2% Medical 201 7,711,609 2% Brokerage 16 7,126,146 2% Manufacturing 22 6,223,915 1% *Total of 457,016,826 records. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
Risk Analysis
Top 10 Industries: Incidents with an unknown number of records affected. Percent of Total Incidents with INDUSTRY Incidents Unknown Number of Records Affected Education 48 15% Banking 40 12% Medical 38 12% Retail 33 10% Government -State 28 9% Government - Local 19 6% Government -Federal 18 6% Other 18 6% Accounting/Tax/Audit/Payroll 10 3% Telecomm 10 3% *Total of 324 incidents with unknown number of records affected. Banking is highlighted in red to indicate it is an industry that is regulated by Federal privacy law (GLBA). One of the requirements of GLBA is that the financial institution has an inventory of all non public information (NPI) and adequate security logs to identify who accessed NPI and when. This statistic is in essence stating that over the 5 year period there have been 40 reported breaches of GLBA.
Repeat Offenders 6% of the organizations in the study had multiple data breaches. Lost/Stolen laptops topped the repeated data breaches for the same organization.  48 unencrypted laptops were lost/stolen by the 74 organizations that had multiple data breaches during the same time period.  Of the 48 laptops stolen, one had 28,600,000 records compromised.  4 Organizations had 3 separate incidents of Laptops lost/stolen over the 5 year period.  Unencrypted laptops accounted for 37,441,939 (8%) records and 258 (19%) of all reported data breaches. IT Management often looks at hard drive encryption as cost per laptop expense. Perhaps it should be viewed from a cost per customer perspective. (Cost of encryption / # of sensitive data records X # of laptops with sensitive data.)
Top 3 Root Causes by Industry Education Laptop, 13% Network Security, 36% Web Posting Error, 16%
Medical Physical Security, 13% Laptop, 26% Paper, 16%
Government - State Government - Local Paper, 13% Laptop, 15% Paper, 13% Web Posting Error, 23% Web Posting Error, 13% Government - Federal Laptop, 16% Network Security, 11% You better cut the pizza in four pieces Physical Laptop, 31% because I'm not hungry enough to eat six. Security, 11% - Yogi Berra
Banking Paper, 16% Network Security, 27% Laptop, 16%
Trending upward Emerging Threats? 50 45 40 35 # of Incidents Paper 30 Insider 25 Mailing/Printing Error Email error 20 Virus 15 10 5 0 2005 2006 2007 2008 2009
January 2010 – April 2010 44% of the incidents are attributed to Emerging Threats in 2005-2009 Data Analysis Percent of Count Percent of Root Cause Count Records Records % % Physical Security 16 16.67% 4.52% 5,042,685 Insider 15 15.63% 0.02% 17,820 Network Security 15 15.63% 1.33% 1,483,453 Paper 10 10.42% 0.08% 94,460 Laptop 9 9.38% 0.21% 238,865 Mail/Printing Error 8 8.33% 0.68% 758,250 Virus 6 6.25% 0.01% 9,174 Portable Media 5 5.21% 3% 3,341,069 Web posting error 4 4.17% 89.74% 100,009,053 eMail error 3 3.13% 0.01% 6,260 Backup Tapes 1 1.04% 0% 3,097 Disposal of Hardware 1 1.04% 0.37% 409,262 Peer to Peer 1 1.04% 0% 260 Programming Error 1 1.04% 0% 3,900 Web Coding Error 1 1.04% 0.02% 27,000 Totals 96 100% 100% 111,444,608
2009 Actual vs. 2010 Forecasted (Forecasted) Projected % Root Cause 2009 2010 Change Physical Security 15 48 69% Insider 26 45 42% Network Security 42 45 7% Paper 39 30 -30% Laptop 35 27 -30% Mail/Printing Error 13 24 46% Virus 11 18 39% Portable Media 15 15 0% Web posting error 14 12 -17% eMail error 11 9 -22% Backup Tapes 1 3 67% Disposal of Hardware 3 3 0% Peer to Peer 2 3 33% Programming Error 1 3 67% Web Coding Error 3 3 0% Totals 231 288 20%
Could have, Should have, Would have, - Top 10’s Nbr. Of Root Cause Records Incidents Countermeasures Timely Patches, Vulnerability Scans, Ethical Hacks, Complex password criteria, Network Security 121,881,159 270 Hardened server/device builds, defense in depth, and encryption Laptop 37,441,939 259 Hard Drive encryption, physical chain locks Alarm system, badge/bio access, hard drive encryption, locked server racks / PC Physical Security 9,179,139 147 Cabinets, and encryption Paper 4,696,608 147 Records Management, On-site shredding, imaging/shredding. Web posting error 4,533,405 143 QA & UAT Proper vetting of employees and contractors, logging and monitoring and least Insider 25,352,839 89 privilege. Portable Media 26,677,497 83 Encryption Mailing/Printing Error 2,566,405 48 QC & Executive signoffs Email error 710,469 32 Outbound e-mail filters; e-mail encryption Backup Tapes 9,266,569 29 Encryption Unknown 5,598,145 20 Logging and monitoring (At a minimum to identify who, how, and what.) Timely Patches and up to date AV signatures. AV scanning e-mail. Website content Virus 100,073,262 14 filters. Endpoint protection. Disposal of hardware 76,296,770 12 Degaussing and destruction of hard drives; Encryption Web coding error 32,169,060 12 Web app vulnerability scans, Secure coding program, Ethical Hacks Totals for Top Root Causes: 456,443,266 1,305 % of 5 Year Total 99.87% 97.39%
Could have, Should have, Would have, - Bottom 2% Nbr. of Root Cause Records Incidents Countermeasures Social Engineering 435,000 4 Security awareness training for employees, contractors, and customers Public PC 117,000 2 Endpoint scanner for VPN access Peer to Peer 11,485 9 Block it Phishing 4,000 1 Security awareness training for employees, contractors, and customers SmartPhone 3,200 1 Implement your security program on Blackberries, I-Phones, etc. Skimming 1,821 11 Inspection PDA 851 1 Implement your security program on PDAs Programming Error 123 2 SDLC Fax error 80 2 ??? Wireless ? 2 WPA, restrict access Totals 573,560 35 0.13% 2.61%
Conclusion of the Analysis  Trends from the 5 year study can be used to forecast emerging threats.  The use of encryption in protecting data in transit and at rest can make a security breach a non-event for customers and employees.  Insider risk has been on the rise. Practice “least privilege” and monitor insider activities.  If you are not doing the Security 101 things then all other efforts are a waste.  The best IT Security can be trumped by poor physical security and poor records management.
Questions??? I wish I had an answer to that because I'm tired of answering that question. - Yogi Berra
Appendix A - Definition of Root Causes  Network Security – If the description included any of the following terms: hacked, unpatched, server/device misconfiguration, password cracking, default settings/passwords, server, router, firewall, database server.  Laptop – Any mention of laptop, lost or stolen.  Paper – Any lost, stolen, or misplaced, ie. placed in dumpster.  Physical Security – This dealt with the physical entry of premises and removing computers and non-portable hard drives. Excludes laptops, paper, mobile media.  Web Posting Error – Accidental/unintentional release of information via a website.  Insider – When breach was due to the illegal actions of an employee, consultant, or student whom had some form of access to the data and abused the system/physical access.  Portable Media – CDs, DVDs, USB thumbdrives/flashdrives, external hard drives, floppy disk. He excludes backup tapes.  Mail/Printing Error - Accidental/unintentional release of information via printing and/or mailing data. ie. wrong addressee or information printed/viewable on outside of the mailing.
Appendix A - Definition of Root Causes  Email Error – Accidental/unintentional release of information via e-mail, ie. unintended addressee, wrong attachment, more data in e-mail than known by sender.  Backup Tapes – unencrypted backup tapes only.  Virus – Any malware, virus, Trojan, keystroke logger, spyware.  Disposal of Hardware – The discarding or selling computer equipment with unencrypted hard drives that contain sensitive data.  Web Coding Error – Website code inadvertently discloses sensitive data, SQL Injection, Cross Site scripting, website authentication weakness, etc.  Unknown – Organization knew that it had a data breach, but did not know the cause.  Skimming – The copying of data from the magnetic stripe on credit and debit cards.  Peer to Peer – Data disclosure via the use of file sharing software/websites.
Appendix A - Definition of Root Causes  Social Engineering – A malicious individual (non-insider) obtained sensitive data through trickery.  Fax Error – Data was either inadvertently sent to the wrong fax number, or more information was faxed to the correct recipient than intended by the sender.  Programming Error (Backend) – Any breaches that were as a result of a programming issue with a backend processing application or as a result of a batch job failure.  Public PC – Data breach as a result of data being saved on to Public PCs via e- mail downloads or data residing in temp files.  Wireless – A breach as a result of unsecure wireless transmission being intercepted, or an individual accessing an organizations wired network as a result of an unsecured wireless access point connected to the wired network.  PDA – Any breached involving lost/stolen PDAs having sensitive data stored on its hard drive.  Phishing – A breach that involved an individual opening a phishing e- mail/website.  Smartphone - Any breached involving lost/stolen smartphone having sensitive data stored on its hard drive.
Appendix B – Definition of Industries  Banking – Banks, credit unions, credit card companies, and mortgage companies.  Medical – Doctors, pharmacies, hospitals, clinics.  Insurance – Any and all insurance companies.  Education – Daycare, preschools, public and private K-12 schools, technical/trade schools, colleges and universities.  Government – Local - City, town, county, township, boro, parish governments, and local police.  Government – State – Any of the 50 state governments including all state government agencies, departments and state police.  Government – Federal – The US Federal government including all Federal agencies, departments, and the military.  Accounting/Audit/Tax/Payroll – Public accounting firms, tax preparers, payroll service providers.  Telecomm – Telecommunications companies including phone, mobile phone, ISPs, and cable companies.  Retail – Retail stores and restaurants  eCommerce Retail – Retailers whom are solely doing business online and have no physical storefront.  Brokerage – Stock brokers, brokerage firms, and mutual fund companies.

More Related Content

PDF
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
byAndris Soroka
 
PDF
Tapping into the Neglected $4B Market
bygaryeflores
 
PDF
Building Great Companies on the Cloud
byRoman Stanek
 
PDF
Thy myth of hacking Oracle
byErmando
 
PPTX
360-Degree Approach to DR / BC
byAISDC
 
PPTX
Language Grid
bylindh
 
PPTX
TurKit: A Toolkit for Human Computation Algorithms
byGreg Little
 
PPT
2010 06-u maryland-crowd_sourcing-workshop-v2010-06-16-10h44
byAlain Désilets
 
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
byAndris Soroka
 
Tapping into the Neglected $4B Market
bygaryeflores
 
Building Great Companies on the Cloud
byRoman Stanek
 
Thy myth of hacking Oracle
byErmando
 
360-Degree Approach to DR / BC
byAISDC
 
Language Grid
bylindh
 
TurKit: A Toolkit for Human Computation Algorithms
byGreg Little
 
2010 06-u maryland-crowd_sourcing-workshop-v2010-06-16-10h44
byAlain Désilets
 

Similar to US Data Breaches Analysis

PPT
Introduction to IT Security
byCade Zvavanjanja
 
PDF
Top 11 Data Breaches of 2011
byImperva
 
PPSX
7 Software Development Security
byAlfred Ouyang
 
PPTX
InfoWatch - Data loss prevention (dlp) and social media monitoring (smm)
byGlobal Business Events
 
PDF
WP101 Fundamental Principles of Network Security
bySE_NAM_Training
 
PPT
077 socialengineering
byMotasembyGOD
 
PDF
E gov security_tut_session_2
byMustafa Jarrar
 
PPTX
Is Information Security Worth It?
bymartin_lee1969
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
PDF
Profile Of The Worlds Top Hackers Webinar Slides 063009
byLumension
 
PPTX
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
PPTX
Mis05
byLee Gomez
 
PPTX
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
PDF
Jedi mind tricks for building application security programs
bySecurity BSides London
 
PDF
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
byUlf Mattsson
 
PPTX
Information Security Awareness
byJagbir Singh
 
PPTX
Metricon5 powell - ddos analytics
byTon Hoang
 
PDF
Mcafee dyntek
byliquidnetzero
 
PDF
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 
Introduction to IT Security
byCade Zvavanjanja
 
Top 11 Data Breaches of 2011
byImperva
 
7 Software Development Security
byAlfred Ouyang
 
InfoWatch - Data loss prevention (dlp) and social media monitoring (smm)
byGlobal Business Events
 
WP101 Fundamental Principles of Network Security
bySE_NAM_Training
 
077 socialengineering
byMotasembyGOD
 
E gov security_tut_session_2
byMustafa Jarrar
 
Is Information Security Worth It?
bymartin_lee1969
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
bySeccuris Inc.
 
Profile Of The Worlds Top Hackers Webinar Slides 063009
byLumension
 
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
Mis05
byLee Gomez
 
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
Jedi mind tricks for building application security programs
bySecurity BSides London
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
byUlf Mattsson
 
Information Security Awareness
byJagbir Singh
 
Metricon5 powell - ddos analytics
byTon Hoang
 
Mcafee dyntek
byliquidnetzero
 
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 

Recently uploaded

PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
apidays New York 2025 | AI in Application Security
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 

US Data Breaches Analysis

  • 1.
    Analysis of USData Breaches 2005 - 2009 Compiled and Presented by: John E. Kveragas, Jr., CPA, CISA “Learn from the mistakes of others. You can’t live long enough to make them all yourself.” - Eleanor Roosevelt
  • 2.
    Agenda  Background  Analysis  Could have, Should have, Would have  Q&A  Appendix A– Definition of Root Causes  Appendix B – Definition of Industries
  • 3.
    Background  Source: www.privacyrights.com  Time Period: January 2005 – December 2009  Scope: Reported data breaches impacting customers and employees in the US.  Purpose: To utilize available information to give Audit and Security assurance that time and resources are being wisely spent on securing and reviewing the real risks to our most prized organizational asset.  Assumptions:  Actual records compromised are far greater than what has been reported. Some organizations had no idea what records where impacted or how many.  Events reported are a representative sample of all data breach incidents. Therefore we can use this data to forecast IT risk areas and emerging trends.  Constraints:  Hacking incidents where the exploit was not explained had the Root Cause classified as Network Security. This Root Cause also covers; default/blank passwords, unpatched devices, misconfigured devices, default settings, etc.  Physical Security category covers stolen computers and hard drives. This excludes Laptops, PDAs, and portable media.
  • 4.
    Analysis – ReportedUS Data Breaches From January 1, 2005 – December 31, 2009 By the Numbers:  1,340 reported incidents.  324 of the 1,340 reported incidents did not know how many records were affected.  40 of the 324 were Banks.  457,016,826 known customer/employee records affected.  US Census estimated US population at 305,000,000 in 2009.  1,219 organizations had data breaches.  74 of the 1,219 organizations had multiple data breaches. Baseball is ninety percent mental and the other half is physical. - Yogi Berra
  • 5.
    Reported US DataBreaches by Year Percent of Percent of Total Year Incidents Total Nbr. of Records Incidents Records 2005 117 8.73% 11.98% 54,771,890 2006 335 25% 16.57% 75,744,316 2007 328 24.48% 15.47% 70,684,438 2008 320 23.88% 7.62% 34,824,336 2009 240 17.91% 48.36%* 220,991,846* Totals 1,340 100% 100% 457,016,826 * A single incident in 2009 was responsible for 100,000,000 records. Due to a single event, or a few events, skewing the number of records, it is more important to look at the number of incidents reported for a year to year comparison than the number of records.
  • 6.
    The 5 LargestData Breaches Year Industry Root Cause Record Count 2005 Banking Network Security 40,000,000 2007 Retail Network Security 45,700,000 2009 Banking Virus 100,000,000 2009 Government -Federal Disposal of hardware 76,000,000 2009 eCommerce - Retail Web coding error 32,000,000 Total Records…………………………………………… 293,700,000 These 5 incidents represent 64% of the reported data records compromised during the 5 year period.
  • 7.
    Root Cause –Sorted by Incident Count Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Laptop 37,441,939 259 Paper 4,696,608 147 Physical Security 9,179,139 147 Web posting error 4,533,405 143 Insider 25,352,839 89 Portable Media 26,677,497 83 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Backup Tapes 9,266,569 29 Unknown 5,598,145 20 Virus 100,073,262 14 Web coding error 32,169,060 12 Disposal of hardware 76,296,770 12 Skimming 1,821 11 Peer to Peer 11,485 9 Social Engineering 435,000 4 Fax error 80 2 Programming Error (Backend) 123 2 Public PC 117,000 2 Wireless ? 2 PDA 851 1 Phishing 4,000 1 SmartPhone 3,200 1 Totals 457,016,826 1,340
  • 8.
    Root Cause –Sorted by Incident Count Top 10 Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Laptop 37,441,939 259 Paper 4,696,608 147 Physical Security 9,179,139 147 Web posting error 4,533,405 143 Insider 25,352,839 89 Portable Media 26,677,497 83 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Backup Tapes 9,266,569 29 The Top ten root causes with the highest number of incidents represents 93% of the total number of incidents. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
  • 9.
    Root Cause –Sorted by Nbr. of Records Root Cause Nbr. of Records Incidents Network Security 121,881,159 270 Virus 100,073,262 14 Disposal of hardware 76,296,770 12 Laptop 37,441,939 259 Web coding error 32,169,060 12 Portable Media 26,677,497 83 Insider 25,352,839 89 Backup Tapes 9,266,569 29 Physical Security 9,179,139 147 Unknown 5,598,145 20 Paper 4,696,608 147 Web posting error 4,533,405 143 Mailing/Printing error 2,566,405 48 Email error 710,469 32 Social Engineering 435,000 4 Public PC 117,000 2 Peer to Peer 11,485 9 Phishing 4,000 1 SmartPhone 3,200 1 Skimming 1,821 11 PDA 851 1 Programming Error (Backend) 123 2 Fax error 80 2 Wireless ? 2 Totals 457,016,826 1,340
  • 10.
    Root Cause –Sorted by Nbr. of Records Top 10 Nbr. of Root Cause Incidents Records Network Security 121,881,159 270 Virus 100,073,262 14 Disposal of hardware 76,296,770 12 Laptop 37,441,939 259 Web coding error 32,169,060 12 Portable Media 26,677,497 83 Insider 25,352,839 89 Backup Tapes 9,266,569 29 Physical Security 9,179,139 147 Unknown 5,598,145 20 The Top ten root causes with the highest number of records represents 97% of the total number of records affected. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
  • 11.
    Top 10: Industry– Sorted by Incident Count % of Total Industry Nbr. of Records Incidents Incidents Education 9,136,254 379 28% Medical 7,711,609 201 15% Government - State 14,993,503 136 10% Banking 174,682,458 90 7% Government - Local 10,166,092 86 6% Government - Federal 107,221,847 84 6% Retail 53,111,224 72 5% Other 2,153,348 44 3% Insurance 4,206,121 35 3% Accounting/Tax/Audit/Payroll 1,565,290 30 2% *Total of 1,340 reported incidents. Footnote 1: Industries in red are governed by Federal Law over data privacy, i.e HIPPA for Medical and GLBA for Banking. Footnote 2: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
  • 12.
    Top 10: Industry– Sorted by Nbr. of Records Industry Incidents Nbr. Of Records % of Total Records Banking 90 174,682,458 38% Government -Federal 84 107,221,847 23% Retail 72 53,111,224 12% eCommerce - Retail 9 49,784,327 11% Government -State 136 14,993,503 3% Government - Local 86 10,166,092 2% Education 379 9,136,254 2% Medical 201 7,711,609 2% Brokerage 16 7,126,146 2% Manufacturing 22 6,223,915 1% *Total of 457,016,826 records. Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.
  • 13.
  • 14.
    Top 10 Industries: Incidents with an unknown number of records affected. Percent of Total Incidents with INDUSTRY Incidents Unknown Number of Records Affected Education 48 15% Banking 40 12% Medical 38 12% Retail 33 10% Government -State 28 9% Government - Local 19 6% Government -Federal 18 6% Other 18 6% Accounting/Tax/Audit/Payroll 10 3% Telecomm 10 3% *Total of 324 incidents with unknown number of records affected. Banking is highlighted in red to indicate it is an industry that is regulated by Federal privacy law (GLBA). One of the requirements of GLBA is that the financial institution has an inventory of all non public information (NPI) and adequate security logs to identify who accessed NPI and when. This statistic is in essence stating that over the 5 year period there have been 40 reported breaches of GLBA.
  • 15.
    Repeat Offenders 6%of the organizations in the study had multiple data breaches. Lost/Stolen laptops topped the repeated data breaches for the same organization.  48 unencrypted laptops were lost/stolen by the 74 organizations that had multiple data breaches during the same time period.  Of the 48 laptops stolen, one had 28,600,000 records compromised.  4 Organizations had 3 separate incidents of Laptops lost/stolen over the 5 year period.  Unencrypted laptops accounted for 37,441,939 (8%) records and 258 (19%) of all reported data breaches. IT Management often looks at hard drive encryption as cost per laptop expense. Perhaps it should be viewed from a cost per customer perspective. (Cost of encryption / # of sensitive data records X # of laptops with sensitive data.)
  • 16.
    Top 3 RootCauses by Industry Education Laptop, 13% Network Security, 36% Web Posting Error, 16%
  • 17.
    Medical Physical Security,13% Laptop, 26% Paper, 16%
  • 18.
    Government - State Government - Local Paper, 13% Laptop, 15% Paper, 13% Web Posting Error, 23% Web Posting Error, 13% Government - Federal Laptop, 16% Network Security, 11% You better cut the pizza in four pieces Physical Laptop, 31% because I'm not hungry enough to eat six. Security, 11% - Yogi Berra
  • 19.
    Banking Paper, 16% Network Security, 27% Laptop, 16%
  • 20.
    Trending upward Emerging Threats? 50 45 40 35 # of Incidents Paper 30 Insider 25 Mailing/Printing Error Email error 20 Virus 15 10 5 0 2005 2006 2007 2008 2009
  • 21.
    January 2010 –April 2010 44% of the incidents are attributed to Emerging Threats in 2005-2009 Data Analysis Percent of Count Percent of Root Cause Count Records Records % % Physical Security 16 16.67% 4.52% 5,042,685 Insider 15 15.63% 0.02% 17,820 Network Security 15 15.63% 1.33% 1,483,453 Paper 10 10.42% 0.08% 94,460 Laptop 9 9.38% 0.21% 238,865 Mail/Printing Error 8 8.33% 0.68% 758,250 Virus 6 6.25% 0.01% 9,174 Portable Media 5 5.21% 3% 3,341,069 Web posting error 4 4.17% 89.74% 100,009,053 eMail error 3 3.13% 0.01% 6,260 Backup Tapes 1 1.04% 0% 3,097 Disposal of Hardware 1 1.04% 0.37% 409,262 Peer to Peer 1 1.04% 0% 260 Programming Error 1 1.04% 0% 3,900 Web Coding Error 1 1.04% 0.02% 27,000 Totals 96 100% 100% 111,444,608
  • 22.
    2009 Actual vs.2010 Forecasted (Forecasted) Projected % Root Cause 2009 2010 Change Physical Security 15 48 69% Insider 26 45 42% Network Security 42 45 7% Paper 39 30 -30% Laptop 35 27 -30% Mail/Printing Error 13 24 46% Virus 11 18 39% Portable Media 15 15 0% Web posting error 14 12 -17% eMail error 11 9 -22% Backup Tapes 1 3 67% Disposal of Hardware 3 3 0% Peer to Peer 2 3 33% Programming Error 1 3 67% Web Coding Error 3 3 0% Totals 231 288 20%
  • 23.
    Could have, Shouldhave, Would have, - Top 10’s Nbr. Of Root Cause Records Incidents Countermeasures Timely Patches, Vulnerability Scans, Ethical Hacks, Complex password criteria, Network Security 121,881,159 270 Hardened server/device builds, defense in depth, and encryption Laptop 37,441,939 259 Hard Drive encryption, physical chain locks Alarm system, badge/bio access, hard drive encryption, locked server racks / PC Physical Security 9,179,139 147 Cabinets, and encryption Paper 4,696,608 147 Records Management, On-site shredding, imaging/shredding. Web posting error 4,533,405 143 QA & UAT Proper vetting of employees and contractors, logging and monitoring and least Insider 25,352,839 89 privilege. Portable Media 26,677,497 83 Encryption Mailing/Printing Error 2,566,405 48 QC & Executive signoffs Email error 710,469 32 Outbound e-mail filters; e-mail encryption Backup Tapes 9,266,569 29 Encryption Unknown 5,598,145 20 Logging and monitoring (At a minimum to identify who, how, and what.) Timely Patches and up to date AV signatures. AV scanning e-mail. Website content Virus 100,073,262 14 filters. Endpoint protection. Disposal of hardware 76,296,770 12 Degaussing and destruction of hard drives; Encryption Web coding error 32,169,060 12 Web app vulnerability scans, Secure coding program, Ethical Hacks Totals for Top Root Causes: 456,443,266 1,305 % of 5 Year Total 99.87% 97.39%
  • 24.
    Could have, Shouldhave, Would have, - Bottom 2% Nbr. of Root Cause Records Incidents Countermeasures Social Engineering 435,000 4 Security awareness training for employees, contractors, and customers Public PC 117,000 2 Endpoint scanner for VPN access Peer to Peer 11,485 9 Block it Phishing 4,000 1 Security awareness training for employees, contractors, and customers SmartPhone 3,200 1 Implement your security program on Blackberries, I-Phones, etc. Skimming 1,821 11 Inspection PDA 851 1 Implement your security program on PDAs Programming Error 123 2 SDLC Fax error 80 2 ??? Wireless ? 2 WPA, restrict access Totals 573,560 35 0.13% 2.61%
  • 25.
    Conclusion of theAnalysis  Trends from the 5 year study can be used to forecast emerging threats.  The use of encryption in protecting data in transit and at rest can make a security breach a non-event for customers and employees.  Insider risk has been on the rise. Practice “least privilege” and monitor insider activities.  If you are not doing the Security 101 things then all other efforts are a waste.  The best IT Security can be trumped by poor physical security and poor records management.
  • 26.
    Questions??? I wish Ihad an answer to that because I'm tired of answering that question. - Yogi Berra
  • 27.
    Appendix A -Definition of Root Causes  Network Security – If the description included any of the following terms: hacked, unpatched, server/device misconfiguration, password cracking, default settings/passwords, server, router, firewall, database server.  Laptop – Any mention of laptop, lost or stolen.  Paper – Any lost, stolen, or misplaced, ie. placed in dumpster.  Physical Security – This dealt with the physical entry of premises and removing computers and non-portable hard drives. Excludes laptops, paper, mobile media.  Web Posting Error – Accidental/unintentional release of information via a website.  Insider – When breach was due to the illegal actions of an employee, consultant, or student whom had some form of access to the data and abused the system/physical access.  Portable Media – CDs, DVDs, USB thumbdrives/flashdrives, external hard drives, floppy disk. He excludes backup tapes.  Mail/Printing Error - Accidental/unintentional release of information via printing and/or mailing data. ie. wrong addressee or information printed/viewable on outside of the mailing.
  • 28.
    Appendix A -Definition of Root Causes  Email Error – Accidental/unintentional release of information via e-mail, ie. unintended addressee, wrong attachment, more data in e-mail than known by sender.  Backup Tapes – unencrypted backup tapes only.  Virus – Any malware, virus, Trojan, keystroke logger, spyware.  Disposal of Hardware – The discarding or selling computer equipment with unencrypted hard drives that contain sensitive data.  Web Coding Error – Website code inadvertently discloses sensitive data, SQL Injection, Cross Site scripting, website authentication weakness, etc.  Unknown – Organization knew that it had a data breach, but did not know the cause.  Skimming – The copying of data from the magnetic stripe on credit and debit cards.  Peer to Peer – Data disclosure via the use of file sharing software/websites.
  • 29.
    Appendix A -Definition of Root Causes  Social Engineering – A malicious individual (non-insider) obtained sensitive data through trickery.  Fax Error – Data was either inadvertently sent to the wrong fax number, or more information was faxed to the correct recipient than intended by the sender.  Programming Error (Backend) – Any breaches that were as a result of a programming issue with a backend processing application or as a result of a batch job failure.  Public PC – Data breach as a result of data being saved on to Public PCs via e- mail downloads or data residing in temp files.  Wireless – A breach as a result of unsecure wireless transmission being intercepted, or an individual accessing an organizations wired network as a result of an unsecured wireless access point connected to the wired network.  PDA – Any breached involving lost/stolen PDAs having sensitive data stored on its hard drive.  Phishing – A breach that involved an individual opening a phishing e- mail/website.  Smartphone - Any breached involving lost/stolen smartphone having sensitive data stored on its hard drive.
  • 30.
    Appendix B –Definition of Industries  Banking – Banks, credit unions, credit card companies, and mortgage companies.  Medical – Doctors, pharmacies, hospitals, clinics.  Insurance – Any and all insurance companies.  Education – Daycare, preschools, public and private K-12 schools, technical/trade schools, colleges and universities.  Government – Local - City, town, county, township, boro, parish governments, and local police.  Government – State – Any of the 50 state governments including all state government agencies, departments and state police.  Government – Federal – The US Federal government including all Federal agencies, departments, and the military.  Accounting/Audit/Tax/Payroll – Public accounting firms, tax preparers, payroll service providers.  Telecomm – Telecommunications companies including phone, mobile phone, ISPs, and cable companies.  Retail – Retail stores and restaurants  eCommerce Retail – Retailers whom are solely doing business online and have no physical storefront.  Brokerage – Stock brokers, brokerage firms, and mutual fund companies.