Breaches: Knowing Less and Less about Less and Less
San Diego, CA (July 11, 2012): The Identity Theft Resource Center® recorded 213 breaches for the first six months of 2012, with an astonishing 63.4% of them having no reported attributes. This represents a doubling in the number of data breaches which did not have any type of attributes identified for the incident, giving the public little or no insight into what happened. This trend makes it obvious that with few exceptions, there is minimal transparency when it comes to reporting breaches.
From 2005 through 2011, the ITRC Breach List tracked five categories of breach attributes: insider theft, hacking, data on the move, accidental web/Internet exposure, and subcontractor. In 2012, employee error/negligence was added as a new attribute to more clearly recognize those data breaches that were not the result of malicious intent. This is good information for the public to know, both for understanding trends in breach exploits, and to understand what the probable consequences of a particular breach might be for those affected.
However other than breaches reported by the media and a few progressive state websites, there continues to be little or no information available on many data breach events. The public has no way of knowing just how minor or serious the data exposure was for any given incident. The media has helped by reporting more details for some breach events, but in general there appears to be ever less transparency about breach events than in previous years.
It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported, and it would appear that the situation is growing worse.
ITRC Breach Report Key Findings
- Paper breaches for the first half of 2012 account for nearly 15% of known breaches, down from 17.7% for the same period in 2011. These types of breaches typically go unnoticed until a consumer reports the problem to local media, as most paper breaches are not required to be reported. If you want to really understand the threat of these low-tech breaches, contact the US Postal Inspection Service and ask if they consider mail theft a serious problem.
- Breaches in the medical/healthcare industry are on pace to hit an 8 year high, and currently represent 27% of the total breach incidents reported so far in 2012. This number is a drastic increase over the 17% reported for the same period in 2011 and exceeds the previous high of 24% for calendar year 2010.
- The banking industry continues to show improvement as that category currently represents only 4% of the total breaches reported on the ITRC Breach List. This is down significantly from the 8% reported during the first half of 2011, and represents an 8 year low should it continue.
- Breaches involving third parties, or subcontractors, doubled over the same period last year, with 14% of identified data breach incidents reporting third party involvement. These events make the case that although your company may have taken adequate measures to protect information, the contractor you hire may not be as careful.
- Malicious attacks involving “hacking” continue to represent an ever increasing growth, with 30.5% of the breaches so far this year identifying hacking as the root cause, up from the 27.7% reported for the same period in 2011. If this rate increase continues, 2012 will be on pace to have another record high year in this category. Insider theft, which is also identified as a malicious attack, was down in the first half of 2012, 7.5% compared to 17.3% for the same period in 2011. This could indicate that companies are getting better with internal controls and vetting of employees. When combined, these categories represent nearly 40% of all reported breaches.
- Breaches involving “Data on the move” are being recorded at an all-time low. To date, only 7.5% of the breaches in 2012 have been identified in this category. This represents a tremendous drop from the 15.6% reported in the first half of 2011. Hopefully, this indicates a new awareness of companies and employees about the data carried on laptops and mobile devices. “Accidental” causes are identified in 11.7% of the breach incidents reported; up somewhat from the 9.1% reported during the first half of 2011. The newly identified employee error/negligence category is identified in 6.1% of the breach incidents reported.
- 44.4% of publicly reported breaches indicated the number of records exposed, totaling 8.5 million records. It should be noted that the ITRC Breach Report does not include breach records due to exposure of non-sensitive information, such as email account records in its total number of records. These 8.5 million records are all related to exposure of sensitive Personal Identifying Information (PII) or other sensitive account information.
As such, breach incidents which involve passwords, user names and email addresses may be included on the list but the number of records exposed is not counted as part of the annual total record exposure. So the records that are totaled consist of those that might contain Social Security numbers, credit/debit credit numbers, financial account numbers or other pieces of information such as driver’s license numbers or medical insurance numbers.
- 96 breaches (45.1%) reported in the first half of 2012 included the exposure of Social Security Numbers. This is a significant drop from the 64.5% of the breaches which exposed SSNs during the first half of 2011.
- 41 breaches (19.2%) involved credit or debit cards, dropping considerably from the 34.6% of the breaches involving credit/debit cards in the same time period during 2011.
The ITRC has long recognized the fact that breaches are being not reported, or under-reported. Any efforts to accurately quantify the actual number of breaches and resulting number of compromised records are stymied in the absence of mandatory reporting on a national level. Unfortunately, in the absence of national requirements for breach reporting, this situation is getting worse.
Another challenge continues to be how to define the threat to consumers when the compromised information is not “sensitive” personal information but “non-personal” in nature. It is well known that this type of information still poses a threat to consumers through spearphishing and social engineering.
For the reports and statistics used for this release, go to www.idtheftcenter.org .
About the ITRC
The Identity Theft Resource Center® (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Victim Hotline: 888-400-5530, Visit www.idtheftcenter.org
Contact: Karen Barney
Cell (619) 405-4360