The document analyzes data breach records from 2005-2015 to examine trends by industry. It finds that healthcare, education, government, retail, and finance were most commonly affected, accounting for over 80% of breaches. Personal information was the most frequently stolen record type, compromised through various methods like device loss, insider leaks, and hacking. The analysis also looks specifically at breach trends in the healthcare industry, where loss of portable devices like laptops was a primary source of compromises.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Reasons for the Popularity of Medical Record TheftOPSWAT
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry has become an increasingly valuable target for cyber thieves, and in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals' interest in the last few years?
This white paper covers various topics including industry data breach statistics, the value of credit card data versus medical record data, healthcare spending on cyber security and the impact of BYOD on industry vulnerability to data breaches. This white paper also highlights various solutions for protecting medical record data including multi-scanning, email security and the protection of endpoint devices.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
Infographic: Symantec Healthcare IT Security Risk Management StudyCheapSSLsecurity
Cybersecurity in Healthcare: While Cyberattacks and data breaches are rising across industries, healthcare is lagging behind in cybersecurity investment.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Reasons for the Popularity of Medical Record TheftOPSWAT
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry has become an increasingly valuable target for cyber thieves, and in some cases, a much easier target to attack, due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals' interest in the last few years?
This white paper covers various topics including industry data breach statistics, the value of credit card data versus medical record data, healthcare spending on cyber security and the impact of BYOD on industry vulnerability to data breaches. This white paper also highlights various solutions for protecting medical record data including multi-scanning, email security and the protection of endpoint devices.
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
Infographic: Symantec Healthcare IT Security Risk Management StudyCheapSSLsecurity
Cybersecurity in Healthcare: While Cyberattacks and data breaches are rising across industries, healthcare is lagging behind in cybersecurity investment.
Welcome to the first Verizon Protected Health Information Data Breach Report (PHIDBR).
We’re the same team that has brought you the Verizon Data Breach Investigations Report
(DBIR) since 2008, and we are excited to revisit some of that data and bring in
some new incidents for this report.
The purpose of this study is to shed light on the problem of medical data loss—how it is
disclosed, who is causing it and what can be done to combat it. This is a far-reaching
problem that impacts not only organizations that are victims of these breaches, but also
doctor-patient relationships. And it can have consequences that spread more broadly
than just those directly affected by the incidents.
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.
Sharing the blame: How companies are collaborating on data security breaches, is an Economist Intelligence Unit research project, sponsored by Akamai Technologies, exploring the ways in which organisations are collaborating to deal with the disclosure of data security breaches. How are they co-operating with governments, other companies and third parties in areas such as requirements for the public disclosure of such breaches? Do they have consistent cyber security policies? To what extent are they sharing best practices?
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...EY
A report based on a survey conducted to understand the fraud scenario in India. This study aims to understand how businesses have coped with increasing fraud and corruption risk last year, what the emerging fraud risks in the industry are and the measures taken by various organizations to mitigate these risks.
For further information on EY's fraud investigation and dispute services, please visit: http://www.ey.com/IN/en/Services/Assurance/Fraud-Investigation---Dispute-Services
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.
Panelists:
Gant Redmon, General Counsel and VP of Business Development, Co3 Systems
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
2015 cost of data breach study global analysisxband
2015 Cost of Data Breach Study:
Global Analysis
By: Ponemon Institute
Benchmark research sponsored by IBM
Independently conducted by Ponemon Institute LLC
May 2015
Recognizing the signs of aging presentationOlympicSrCare
This presentation is one of many available on senior topics to help families better understand the aging process and find resources to help their loved one remain safe and healthy in their home. To sign up for a workshop please contact our office. Note: Videos and manuals affiliated with this presentation are only available when attending the workshop.
For more information go to www.homeinstead.com/650.
Pintxo de pimentos de piquillos rellenos de bonito del norte con anchoas del ...Olmeda Orígenes
Pintxo de Pimentos de Piquillos rellenos de bonito del norte con anchoas del cantábrico y guindilla vasca
Ingredientes:
• Bonito del Norte en aceite de oliva
• Pimiento de piquillo de Navarra
• Filetes de anchoa del cantábrico
• Guindilla Vasca Olmeda Orígenes
• Una rodaja de Pan
• Aceite de Oliva Virgen Extra
Modo de preparación:
1. Se rellena el pimiento de piquillo de Navarra cuidadosamente con el bonito del norte Olmeda Orígenes y se coloca sobre la rodaja de pan.
2. Se pone un filete de anchoa del Cantábrico encima del pimiento.
3. Cogemos una guindilla entera, la atravesamos un palillo de cocina y lo clavamos en la anchoa y el pimiento fijando todos los ingredientes al pan.
4. Con una botella de aceite de oliva rociamos un poco los pintxos para que ganen frescura y sabor.
The 4th Strategic Recruitment and Talent Selection SummitJanette Toral
Janette Toral will be one of the resource persons in "The 4th Strategic Recruitment and Talent Selection Summit" to talk on "Best Practices in Recruitment in HyperGrowth Organizations" this April 26 and 27, 2016 at The Pan Pacific Hotel Manila. Call Indu Inferentia Management Consultancy at tel: 506.0064 966.0449, 624.9233, 0917.551.6528, 0917.551.6582 for inquiries.
Welcome to the first Verizon Protected Health Information Data Breach Report (PHIDBR).
We’re the same team that has brought you the Verizon Data Breach Investigations Report
(DBIR) since 2008, and we are excited to revisit some of that data and bring in
some new incidents for this report.
The purpose of this study is to shed light on the problem of medical data loss—how it is
disclosed, who is causing it and what can be done to combat it. This is a far-reaching
problem that impacts not only organizations that are victims of these breaches, but also
doctor-patient relationships. And it can have consequences that spread more broadly
than just those directly affected by the incidents.
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
Protecting Patient Health Information in the HITECH EraRapid7
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
This presentation covers the FACTA Identity Theft Red Flags Rule and other legislation in the compliance for business in preventing and reducing Identity Theft in the workplace.
Sharing the blame: How companies are collaborating on data security breaches, is an Economist Intelligence Unit research project, sponsored by Akamai Technologies, exploring the ways in which organisations are collaborating to deal with the disclosure of data security breaches. How are they co-operating with governments, other companies and third parties in areas such as requirements for the public disclosure of such breaches? Do they have consistent cyber security policies? To what extent are they sharing best practices?
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...EY
A report based on a survey conducted to understand the fraud scenario in India. This study aims to understand how businesses have coped with increasing fraud and corruption risk last year, what the emerging fraud risks in the industry are and the measures taken by various organizations to mitigate these risks.
For further information on EY's fraud investigation and dispute services, please visit: http://www.ey.com/IN/en/Services/Assurance/Fraud-Investigation---Dispute-Services
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.
Panelists:
Gant Redmon, General Counsel and VP of Business Development, Co3 Systems
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
2015 cost of data breach study global analysisxband
2015 Cost of Data Breach Study:
Global Analysis
By: Ponemon Institute
Benchmark research sponsored by IBM
Independently conducted by Ponemon Institute LLC
May 2015
Recognizing the signs of aging presentationOlympicSrCare
This presentation is one of many available on senior topics to help families better understand the aging process and find resources to help their loved one remain safe and healthy in their home. To sign up for a workshop please contact our office. Note: Videos and manuals affiliated with this presentation are only available when attending the workshop.
For more information go to www.homeinstead.com/650.
Pintxo de pimentos de piquillos rellenos de bonito del norte con anchoas del ...Olmeda Orígenes
Pintxo de Pimentos de Piquillos rellenos de bonito del norte con anchoas del cantábrico y guindilla vasca
Ingredientes:
• Bonito del Norte en aceite de oliva
• Pimiento de piquillo de Navarra
• Filetes de anchoa del cantábrico
• Guindilla Vasca Olmeda Orígenes
• Una rodaja de Pan
• Aceite de Oliva Virgen Extra
Modo de preparación:
1. Se rellena el pimiento de piquillo de Navarra cuidadosamente con el bonito del norte Olmeda Orígenes y se coloca sobre la rodaja de pan.
2. Se pone un filete de anchoa del Cantábrico encima del pimiento.
3. Cogemos una guindilla entera, la atravesamos un palillo de cocina y lo clavamos en la anchoa y el pimiento fijando todos los ingredientes al pan.
4. Con una botella de aceite de oliva rociamos un poco los pintxos para que ganen frescura y sabor.
The 4th Strategic Recruitment and Talent Selection SummitJanette Toral
Janette Toral will be one of the resource persons in "The 4th Strategic Recruitment and Talent Selection Summit" to talk on "Best Practices in Recruitment in HyperGrowth Organizations" this April 26 and 27, 2016 at The Pan Pacific Hotel Manila. Call Indu Inferentia Management Consultancy at tel: 506.0064 966.0449, 624.9233, 0917.551.6528, 0917.551.6582 for inquiries.
Δείτε πως η Αυτόλογη Μεσοθεραπεία PRP συνδυάζεται με την κλασσική Μεσοθεραπεία στο πρόγραμμα 4 εβδομάδων Red Carpet, για ένα αποτέλεσμα ολικού λιφτινγκ (Χωρίς νυστέρι). Νιώστε και εσείς σαν Σταρ!
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
Consumers rely on businesses to keep their personal information safe. Too few of those businesses are actively protecting that data. Here’s what’s gone wrong, and how businesses should be responding. Full blog here: http://bit.ly/1Jtzym5
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems andensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the
policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance.
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with ...
1. A TrendLabsSM
Research Paper
Follow the Data:
Analyzing Breaches by Industry
Trend Micro Analysis of Privacy Rights Clearinghouse
2005–2015 Data Breach Records
Numaan Huq
Forward-Looking Threat Research (FTR) Team
2. TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information
and educational purposes only. It is not intended and
should not be construed to constitute legal advice. The
information contained herein may not be applicable to all
situations and may not reflect the most current situation.
Nothing contained herein should be relied on or acted upon
without the benefit of legal advice based on the particular
facts and circumstances presented and nothing herein
should be construed otherwise. Trend Micro reserves the
right to modify the contents of this document at any time
without prior notice.
Translations of any material into other languages are
intended solely as a convenience. Translation accuracy is
not guaranteed nor implied. If any questions arise related
to the accuracy of a translation, please refer to the
original language official version of the document. Any
discrepancies or differences created in the translation are
not binding and have no legal effect for compliance or
enforcement purposes.
Although Trend Micro uses reasonable efforts to include
accurate and up-to-date information herein, Trend Micro
makes no warranties or representations of any kind as
to its accuracy, currency, or completeness. You agree
that access to and use of and reliance on this document
and the content thereof is at your own risk. Trend Micro
disclaims all warranties of any kind, express or implied.
Neither Trend Micro nor any party involved in creating,
producing, or delivering this document shall be liable
for any consequence, loss, or damage, including direct,
indirect, special, consequential, loss of business profits,
or special damages, whatsoever arising out of access to,
use of, or inability to use, or in connection with the use of
this document, or any errors or omissions in the content
thereof. Use of this information constitutes acceptance for
use in an “as is” condition.
Contents
Overview
4
Healthcare
10
Government
12
Retail
15
Finance
17
Education
20
3. Our data source
The Privacy Rights Clearinghouse (PRC) is a nonprofit corporation based in
California. PRC’s mission is to engage, educate, and empower individuals
to protect their privacy1
. They do this by raising consumers’ awareness of
how technology affects personal privacy, and they empower consumers
to take actions to control their personal information by providing practical
tips on privacy protection. PRC responds to privacy-related complaints
from consumers and where appropriate intercedes on the consumer’s
behalf/refers them to the proper organizations for further assistance. PRC
documents consumers’ complaints and questions about privacy in reports
and makes them available to policy makers, industry representatives,
consumer advocates, media, etc. PRC advocates consumers’ privacy
rights in local, state, and federal public policy proceedings.
PRC publishes the “Chronology of Data Breaches Security Breaches
2005–Present1
,” which is a collection of publicly disclosed data breach
incident reports that occurred in the United States. The data is compiled
from a variety of sources including: media, Attorney General’s Office press
releases, company press releases, privacy websites, etc.
All data breach incident reports in this paper have been collected from the PRC
database for the period, January 2005–April 20152
. PRC’s original “Organization
Types” were expanded to include a wide range of industries in order to provide
a fine-grained view into victim profiles. Each entry was analyzed to determine
the record types compromised. The data collected was analyzed using tools that
include KH Coder3
, MSBNx4
, and Explore Analytics5
.
4. 4 | Follow the Data
Hacking or malware
Insider leak
Payment card fraud
Physical device loss
Portable device
Stationary device
Unintended disclosure
Unknown
800
400
0
2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013
Further analysis of publicly disclosed
data breach incidents
This material supplements the paper, “Follow the Data: Dissecting Data Breaches and Debunking Myths,”
where we looked at the volume of incidents over a span of 10 years and formulated a Bayesian model in
order to determine the probability that different breach scenarios would occur. We also took a closer look
at where stolen data eventually ended up and what interested parties could do with it.
Here, we will take a closer look at the different breach methods, record-type combinations stolen, and
industry cross-sections of the PRC data.
Figure 1: Breach methods observed from 2005 to April 2015
Figure 1 shows an interesting visualization that emerged when breach methods were plotted on
a timescale.
• Portable device (USB keys, portable drives, laptops, etc.) loss or theft is a major contributing factor in
the leakage of sensitive data. This remains a constant threat over the years.
5. 5 | Follow the Data
Healthcare
Education
Government
Retail
Financial
Service
Banking
Technology
Insurance
Media
Others
26.9%
16.8%
15.9%
12.5%
9.2%
3.5%
2.8%
2.6%
1.6%
1.4%
6.8%
• The number of hacking or malware attacks steadily rose from 2010 onward. As the Internet expands
and new applications are introduced, businesses are steadily growing their online presence, leading
to an increase in hacking or malware attacks against them.
• A big increase in the number of insider threats was seen from 2010 onward. There are two plausible
explanations for this. First, insider threats have always been present and not properly reported.
Second, insiders now find it monetarily lucrative to steal and sell sensitive data, and so, commit more
crimes.
Figure 2: Industries affected by data breaches
Any business or organization that processes and/or stores sensitive data is a potential breach target.
Figure 2 shows that the healthcare, education, government, retail, and financial industries were the most
frequent victims of data breach crimes. The PRC data shows that these five industries accounted for
81.3% of the total number of disclosed data breach incidents. This is not really surprising, as businesses
or organizations that belong to these industries are a treasure trove of valuable sensitive data and so
would provide good returns on investment (ROIs) for the cybercriminals that compromise them.
All of the aforementioned industries are subject to specialized state and federal data breach disclosure
laws. That’s why we see them dominate incident reports. Other industries are also targeted but incident
reports for them are few likely because of:
• Failure to identify data breaches
• Failure to properly assess data breaches
• Noncompliance with data breach notification laws
6. 6 | Follow the Data
PII
Health + PII
Financial + PII
Health
Payment card
Credentials + PII
Education + PII
Financial + health + PII
PII + payment card
Financial
Others
34.0%
12.8%
8.3%
5.8%
5.2%
3.9%
3.7%
3.5%
3.0%
2.8%
17.0%
• Lack of knowledge of data breach notification laws
• Nondisclosure because of active investigation by authorities
• Breaches did not lead to the compromise of data that legally mandates public disclosure
Often, organizations are not even aware of ongoing data breaches and require external parties (banks,
law enforcement agencies, customers, etc.) to inform them. Data breach news stories are regularly
leaked to the media. Media practitioners also have ongoing investigations or learn about breaches from
insiders. Large data breaches are typically followed by class-action lawsuits, which damage businesses
or organizations and may even deter them from immediately disclosing incidents.
Figure 3: Record-type combinations compromised
Figure 3 shows that a wide range of data gets stolen from businesses (big and small) and individuals,
including:
• Personally identifiable information (PII): Names, addresses, Social Security numbers, and other
information.
• Financial data: Banking, insurance, billing, and other information.
• Health data: Hospitals and doctors’ office records, medical insurance, and other information.
• Education data: School, college, university, or related records.
• Payment card data: Credit, debit, store-branded credit, and prepaid gift cards.
• Credentials: Log-in credentials to eBay, PayPal, Web-based emails, online banking sites, and others.
• Others: Intellectual property, intelligence about an organization, and other information.
• Unknown: In many cases, investigators failed to determine what was stolen.
7. 7 | Follow the Data
Hacking or malware
Insider leak
Payment card fraud
Physical loss
Portable device loss
Stationary device loss
Unintended disclosure
Unknown
2K
1K
0
PII Health
+ PII
Financial
+ PII
Health Payment
card
Credentials
+ PII
Education
+ PII
Financial
+ health
+ PII
PII +
payment
card
Financial
Figure 4: Top 10 record-type combinations compromised versus breach methods used
Figure 4 shows that the most popular record types stolen were PII; health, financial, education, and
payment card data; and credentials. These are easy to monetize and thus make lucrative targets. Health
and education data is mostly stolen because they contain PII. Data presented later will support this claim.
PII was most commonly compromised. The usual breach methods for PII theft were unintended disclosure,
loss or theft, insiders, and hacking or malware. No breach method could be singled out as the major
contributing factor for compromising PII; all available means were instead employed.
8. 8 | Follow the Data
Company name
Records
compromised
Disclosure date Record types compromised
eBay 145M 21 May 2014 Credentials, PII
Heartland Payment Systems 130M 20 January 2009 Payment card data
Target 110M 13 December 2013 PII (70M), payment card data (40M)
The Home Depot 109M 2 September 2014 PII (53M), payment card data (56M)
Sony PlayStation Network 101.6M 27 April 2011 Credentials, financial data, PII,
payment card data
TJ stores (TJX) 100M 17 January 2007 PII, payment card data
Anthem 80M 5 February 2015 Financial data, PII
JP Morgan Chase 76M 28 August 2014 Credentials, financial data, PII
Evernote 50M 3 March 2013 Credentials
Epsilon 50M 2 April 2011 PII
CardSystems 40M 16 June 2005 Payment card data
Adobe 38M 4 October 2013 Credentials, PII, payment card data
Steam (The Valve Corporation) 35M 10 November 2011 Credentials, PII, payment card data
RockYou 32M 15 December 2009 Credentials
LivingSocial 29M 26 April 2013 Credentials, PII
Zappos.com 24M 15 January 2012 Credentials, PII
WordPress 18M 14 April 2011 Credentials, other data
Countrywide Financial Corp. 17M 2 August 2008 Financial data, PII
DeviantArt 13M 17 December 2010 PII
Bank of New York Mellon 12.5M 26 March 2008 Financial data, PII
Figure 5: Top 20 publicly disclosed data breach incidents as of April 2015
The total number of records compromised is typically used to quantify the size and extent of a data
breach incident. Figure 5 shows that the biggest incidents were not concentrated in the past five years
but spread out across 2005 to April 2015.
The biggest payment card breach incident was not the one that involved Target or Home Depot but that
which affected Heartland Payment Systems in 2009. Albert Gonzalez was charged by the authorities for
this breach and sent to prison for 20 years6
. The biggest credential leak involved eBay in 2014. Hackers
compromised its employees’ log-in credentials, allowing them access to the corporate network and to
compromise the main databases that held all user passwords. The criminals also gained access to PII like
names, email addresses, home addresses, phone numbers, and dates of birth7
. The biggest data breach
to date involved Anthem where 80 million records were compromised and up to 18.8 million people were
affected. PII and employment information like income data was stolen8
.
Massive-scale data breaches are not that common, as they entail careful planning and prolonged effort on
the criminals’ part in order to succeed. Criminals tend to get better ROIs by targeting smaller businesses
and organizations, which have weaker defenses and so are easier to penetrate and compromise.
9. 9 | Follow the Data
Analysis of top 5 industries affected
by data breaches
The healthcare, education, government, retail, and financial industries are frequent data breach victims.
We studied five data sets for each industry and looked at trending patterns.
• Data breach incident disclosures: In this data set, we looked at incident numbers broken down by
year reported. Only a fraction of all of the incidents was actually reported. An increase in the number
of reported incidents strongly indicates that the total volume of data breaches has increased and vice
versa.
• Data breach methods: In this data set, we studied the breach methods used. Data breach incidents
could be due to hacking or malware attacks; insider threats; payment card fraud; physical loss or theft
of portable drives, laptops, office computers, files, and others; or unintended disclosures. In a small
number of cases, the actual breach method remains unknown or undisclosed.
• Top 3 data breach methods observed and trends from 2005 to 2014: In this data set, we looked
at the incident report numbers for the top 3 data breach methods broken down by year reported. A
logarithmic trend line was calculated for each breach method.
• Record types compromised: Criminals tend to steal all kinds of available data. Examples include PII
stored as part of health and education records. In some cases, financial data like billing, insurance,
and other information is stored along with health records. As such, these get stolen together. In this
data set, we looked at the record types and record-type combinations compromised.
• Probability of compromising different record types for each breach method: In this data set, we
looked at the probability of different record types getting compromised for each breach method.
10. 10 | Follow the Data
300
150
0
20142005 2006 2007 2008 2009 2010 2011 2012 2013
Portable device loss
Physical loss
Insider leak
Unintended disclosure
Stationary device loss
Hacking or malware
Payment card fraud
Unknown
33.7%
17.6%
17.5%
12.8%
8.7%
6.9%
0.1%
2.7%
Figure 6: Healthcare data breach incident disclosures from 2005 to 2014
Figure 7: Breach methods observed in the healthcare industry
The loss or theft of portable devices, backup drives, files, laptops, office computers, and other devices
accounted for almost two-thirds of all breaches. Surprisingly, hacking or malware attacks accounted for
less than 10% of all of the breaches.
Data breaches in the healthcare industry
The number of data breach incidents increased from 2010 onward. The “Health Insurance Portability and
Accountability Act (HIPAA),” which outlines patient data privacy requirements, has been around since
1996 and mandates that organizations in the healthcare industry disclose all data breaches. The upward
trend in incident report numbers suggests that the healthcare industry has recently become a lucrative
target.
11. 11 | Follow the Data
Health + PII
Health
PII
Financial + health + PII
Financial + PII
Others
40.3%
19.2%
14.9%
10.6%
1.8%
13.2%
Figure 8: Top 3 breach methods observed in the healthcare industry from 2005 to 2014
The top 3 breach methods in the healthcare industry were loss or theft, insider leaks, and unintended
disclosures. From the reported numbers, we observed a marked increase in loss or theft incidents from
2010 onward. A possible explanation for this increase, apart from more theft, was better incident reporting.
The trend line for each breach method shows an upward trend with loss or theft growing more than both
insider threats and unintended disclosures.
Figure 9: Record types compromised in the healthcare industry
The most popular record types and record-type combinations compromised were health and PII, PII,
health data, and PII and financial and health data. In some cases, patient files contained billing and
insurance information, leading to their theft.
150
75
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Loss or theft
Insider leak
Hacking or
malware
12. 12 | Follow the Data
50%
20%
0
Hacking or malware
Insider leak
Loss or theft
Unintended disclosure
Payment card fraud
Unknown
PII Health Financial Payment
card
Education Credentials Unknown Others
120
60
0
20142005 2006 2007 2008 2009 2010 2011 2012 2013
Figure 10: Probability of compromising different record types
per breach method in the healthcare industry
PII and health data had the highest probability of getting compromised. There is a small chance that
financial data like billing, insurance, and other information will also get compromised. The most probable
breach method for stealing PII and health data is loss or theft.
Data breaches in the government sector
Data breaches follow a pattern that starts with a big increase in incident numbers reported in one year,
followed by several years of decline. Every time there is an increase in data breach incidents, new policies,
protocols, and procedures are most likely implemented, driving the incident numbers down.
Figure 11: Government sector data breach incident disclosures from 2005 to 2014
13. 13 | Follow the Data
Unintended disclosure
Portable device loss
Hacking or malware
Physical loss
Insider leak
Stationary device loss
Unknown
26.6%
24.0%
17.4%
14.6%
10.7%
3.5%
3.2%
80
40
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Loss or theft
Unintended
disclosure
Hacking or
malware
Figure 12: Breach methods observed in the government sector
Across government organizations, loss or theft of portable devices, backup drives, and others was the
biggest contributing factor in data breaches. Unintended disclosure of sensitive data through mistakes or
negligence is another major problem.
Figure 13: Top 3 breach methods observed in the
government sector from 2005 to 2014
The top 3 breach methods in the government sector were loss or theft, unintended disclosures, and
hacking or malware attacks. Based on the reported incident numbers, there was a gradual decline in loss
or theft incidents. This suggests the presence of strong policies, protocols, and procedures that help
reduce such incidents. The trend line for unintended disclosures shows that this threat remained fairly
consistent over the years whereas hacking or malware attacks increased.
14. 14 | Follow the Data
PII
Financial + PII
Health + PII
Financial
Credentials + PII
Others
57.4%
10.8%
6.6%
3.8%
3.4%
18.0%
40%
20%
0
Hacking or malware
Insider leak
Loss or theft
Unintended disclosure
Payment card fraud
Unknown
PII Health Financial Payment
card
Education Credentials Unknown Others
Figure 14: Record types compromised in the government sector
PII theft dominated the data breach incidents in the government sector.
Figure 15: Probability of compromising different record types
per breach method in the government sector
Among breaches that targeted government organizations, PII had the highest probability of getting
compromised. There is a small chance that financial and health data will also be compromised. The most
probable breach methods for stealing PII were loss or theft, unintended disclosures, hacking or malware
attacks, and insider threats.
15. 15 | Follow the Data
120
60
0
20142005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Portable device loss
Insider leak
Unintended disclosure
Physical loss
Payment card fraud
Stationary device loss
Unknown
47.6%
12.5%
12.2%
8.9%
6.8%
6.2%
2.9%
2.9%
Data breaches in the retail industry
Data breaches have become commonplace in the retail industry after the development of PoS RAM
scrapers sometime between 2007 and 20089,10
The upward trend observed in the incident report numbers
reflected this growing threat.
Figure 16: Retail industry data breach incident disclosures from 2005 to 2014
Figure 17: Breach methods observed in the retail industry
Hacking or malware attacks were common in the retail industry. PoS RAM scrapers were used to collect
payment card data while a variety of infiltration techniques were employed to gain initial entry into and
laterally move across target networks in order to compromise PoS servers. Insider threats mostly refer to
employees who use skimming devices to steal credit card data.
16. 16 | Follow the Data
60
30
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Hacking or
malware
Loss or theft
Insider leak
PII
Payment card
PII + payment card
Financial + payment card
Credentials + PII
Others
27.9%
24.9%
12.0%
5.9%
4.8%
24.5%
Figure 18: Top 3 breach methods observed in the retail industry from 2005 to 2014
The top 3 breach methods used in the retail industry were hacking or malware attacks, loss or theft, and
insider threats. The reported incident numbers show a big increase in hacking or malware attacks, which
could be attributed to PoS RAM scrapers. Insider threats showed an upward trend while the trend line for
loss or theft remained consistent over the years.
Figure 19: Record types compromised in the retail industry
The retail industry is a hotbed for the theft of payment card data, financial information, and PII and
payment card data.
17. 17 | Follow the Data
40%
20%
0
Hacking or malware
Insider leak
Loss or theft
Unintended disclosure
Payment card fraud
Unknown
PII Health Financial Payment
card
Education Credentials Unknown Others
80
40
0
20142005 2006 2007 2008 2009 2010 2011 2012 2013
Figure 20: Probability of compromising different record types
per breach method in the retail industry
Payment card data and PII had the highest probability of getting compromised. The most probable
method for stealing payment card data was hacking or malware attacks. For PII, the most probable
breach methods were hacking or malware attacks and loss or theft.
Data breaches in the financial industry
Similar to the pattern observed in the government sector, the financial industry posted a big increase in
incident numbers reported in one year, followed by several years of decline. It is probable that every time
the number of incidents increases, new policies, protocols, and procedures were implemented, which
drove the trend down.
Figure 21: Financial industry data breach incident disclosures from 2005 to 2014
18. 18 | Follow the Data
Portable device loss
Hacking or malware
Unintended disclosure
Insider leak
Physical loss
Stationary device loss
Payment card fraud
Unknown
26.8%
21.5%
15.7%
12.3%
10.9%
4.6%
2.6%
5.6%
50
25
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Loss or theft
Hacking or
malware
Insider leak
Figure 22: Breach methods observed in the financial industry
There was a fairly even distribution of incidents involving loss or theft, hacking or malware, insider threats,
and unintended disclosures in the financial industry. Perpetrators employ any means to compromise
financial data instead of relying on one or two proven breach methods.
Figure 23: Top 3 breach methods observed in the financial industry from 2005 to 2014
The top 3 breach methods used in the financial industry were loss or theft, hacking or malware attacks,
and insider threats. The reported incident numbers show a decline in loss or theft, which suggests that
strong policies, protocols, and procedures may have been put in place, helping reduce such incidents.
Hacking or malware attacks and insider threats increased.
19. 19 | Follow the Data
Financial + PII
PII
Credentials + financial + PII
Financial
Credentials + PII
Others
27.8%
26.8%
9.2%
7.2%
3.6%
25.4%
40%
20%
0
Hacking or malware
Insider leak
Loss or theft
Unintended disclosure
Payment card fraud
Unknown
PII Health Financial Payment
card
Education Credentials Unknown Others
Figure 24: Record types compromised in the financial industry
The most popular record types and record-type combinations compromised were financial data and
PII; PII; credentials, financial data, and PII; credentials and PII; and financial data. The credentials stolen
usually included online banking log-in details.
Figure 25: Probability of compromising different record types
per breach method in the financial industry
PII and financial data had the highest probability of getting compromised. The most likely data breach
methods were loss or theft and hacking or malware attacks. There is a small chance that credentials and
payment card data will also get compromised.
20. 20 | Follow the Data
120
60
0
20142005 2006 2007 2008 2009 2010 2011 2012 2013
Hacking or malware
Unintended disclosure
Portable device loss
Physical loss
Stationary device loss
Insider leak
Payment card fraud
Unknown
34.2%
28.9%
17.8%
7.2%
6.4%
3.5%
0.1%
1.9%
Data breaches in the education sector
The data breach incident numbers in the education sector have been declining over the years. This could
possibly be due to a shift in focus to more lucrative targets like the healthcare and retail industries.
Figure 26: Education sector data breach incident disclosures from 2005 to 2014
Figure 27: Breach methods observed in the education sector
Hacking or malware attacks, unintended disclosures, and loss or theft accounted for 94.5% of all of the
breaches observed in the education sector.
21. 21 | Follow the Data
50
25
0
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Hacking or
malware
Loss or theft
Unintended
disclosure
PII
Education + PII
Education
Financial + PII
Credentials + PII
Others
47.6%
21.7%
5.5%
3.9%
2.8%
18.5%
Figure 28: Top 3 breach methods observed in the education sector from 2005 to 2014
The top 3 breach methods seen were hacking or malware attacks, loss or theft, and unintended disclosures.
The trend lines for all three methods show a downward pattern.
Figure 29: Record types compromised in the education sector
The most popular record types and record-type combinations compromised were PII as well as education
and PII. Financial data was also compromised in some incidents.
22. 22 | Follow the Data
30%
15%
0
Hacking or malware
Insider leak
Loss or theft
Unintended disclosure
Payment card fraud
Unknown
PII Health Financial Payment
card
Education Credentials Unknown Others
Figure 30: Probability of compromising different record types
per breach method in the education sector
Education and PII posted the highest probability of getting compromised via methods such as hacking or
malware attacks, loss or theft, and unintended disclosures.
23. 23 | Follow the Data
References
1. Privacy Rights Clearinghouse. (2015). About the Privacy Rights Clearinghouse. Last accessed on 3 July 2015,
https://www.privacyrights.org/content/about-privacy-rights-clearinghouse.
2. Privacy Rights Clearinghouse. (2015). “Chronology of Data Breaches Security Breaches 2005–Present.” Last
accessed on 23 June 2015, https://www.privacyrights.org/data-breach.
3. KH Coder [Computer Software]. (2015). Retrieved from http://khc.sourceforge.net/en/.
4. Microsoft Bayesian Network Editor [Computer Software]. (2010). Retrieved from http://research.microsoft.com/
en-us/um/redmond/groups/adapt/msbnx/.
5. Explore Analytics [Online Software]. (2015). Retrieved from https://www.exploreanalytics.com/.
6. Kim Zetter. (29 December 2009). Wired. “Albert Gonzalez Pleads Guilty in Heartland, 7-11 Breaches—Updated.”
Last accessed on 5 July 2015, http://www.wired.com/2009/12/heartland-guilty-plea/.
7. Gordon Kelly. (21 May 2014). Forbes. “eBay Suffers Massive Security Breach, All Users Must Change Their
Passwords.” Last accessed on 5 July 2015, http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-
massive-security-breach-all-users-must-their-change-passwords/.
8. Caroline Humer. (24 February 2015). Reuters. “Anthem Says Hack May Affect More Than 8.8 Million Other BCBS
Members.” Last accessed on 5 July 2015, http://www.reuters.com/article/2015/02/25/us-anthem-cybersecurity-
idUSKBN0LS2CS20150225.
9. Numaan Huq. (September 2014). Trend Micro Security Intelligence. “PoS RAM Scraper Malware: Past, Present,
and Future.” Last accessed on 6 July 2015, http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp-pos-ram-scraper-malware.pdf.
10. Numaan Huq. (March 2015). Trend Micro Security Intelligence. “Defending Against PoS RAM Scrapers: Current
and Next-Generation Technologies.” Last accessed on 6 July 2015, http://www.trendmicro.com/cloud-content/
us/pdfs/security-intelligence/white-papers/wp-defending-against-pos-ram-scrapers.pdf.