US Data Breaches Analysis

Analysis of US Data Breaches2005 - 2009

Compiled and Presented by: John E. Kveragas, Jr., CPA, CISA

“Learn from the mistakes of others. You can’t live long enough to make them allyourself.”

- Eleanor Roosevelt

Agenda

Background

Analysis

Could have, Should have, Would have

Q&A

Appendix A– Definition of Root Causes

Appendix B – Definition of Industries

Background

Source: www.privacyrights.com

Time Period: January 2005 – December 2009

Scope: Reported data breaches impacting customers and employees in the US. Purpose: To utilize available information to give Audit and Security assurance that time and

resources are being wisely spent on securing and reviewing the real risks to our most prizedorganizational asset.

Assumptions: Actual records compromised are far greater than what has been reported. Some

organizations had no idea what records where impacted or how many. Events reported are a representative sample of all data breach incidents. Therefore we

can use this data to forecast IT risk areas and emerging trends.

Constraints: Hacking incidents where the exploit was not explained had the Root Cause classified

as Network Security. This Root Cause also covers; default/blank passwords,unpatched devices, misconfigured devices, default settings, etc.

Physical Security category covers stolen computers and hard drives. This excludesLaptops, PDAs, and portable media.

Analysis – Reported US Data Breaches

From January 1, 2005 – December 31, 2009

By the Numbers:

1,340 reported incidents.

324 of the 1,340 reported incidents did not know how many recordswere affected.

40 of the 324 were Banks.

457,016,826 known customer/employee records affected.

US Census estimated US population at 305,000,000 in 2009.

1,219 organizations had data breaches.

74 of the 1,219 organizations had multiple data breaches.

Baseball is ninety percent mental and the other half is physical. - Yogi Berra

Reported US Data Breaches by Year

457,016,826100%100%1,340Totals

220,991,846*48.36%*17.91%2402009

34,824,3367.62%23.88%3202008

70,684,43815.47%24.48%3282007

75,744,31616.57%25%3352006

54,771,89011.98%8.73%1172005

Nbr. of RecordsPercent of

TotalRecords

Percent of TotalIncidents

IncidentsYear

* A single incident in 2009 was responsible for 100,000,000 records. Due to a single event,or a few events, skewing the number of records, it is more important to look at thenumber of incidents reported for a year to year comparison than the number of records.

The 5 Largest Data Breaches

293,700,000Total Records……………………………………………

32,000,000Web coding erroreCommerce - Retail2009

76,000,000Disposal of hardwareGovernment -Federal2009

100,000,000VirusBanking2009

45,700,000Network SecurityRetail2007

40,000,000Network SecurityBanking2005

Record CountRoot CauseIndustryYear

These 5 incidents represent 64% of the reported data records compromised during the 5 year period.

Root Cause – Sorted by Incident Count

1,340457,016,826Totals

13,200SmartPhone

14,000Phishing

1851PDA

2?Wireless

2117,000Public PC

2123Programming Error (Backend)

280Fax error

4435,000Social Engineering

911,485Peer to Peer

111,821Skimming

1276,296,770Disposal of hardware

1232,169,060Web coding error

14100,073,262Virus

205,598,145Unknown

299,266,569Backup Tapes

32710,469Email error

482,566,405Mailing/Printing error

8326,677,497Portable Media

8925,352,839Insider

1434,533,405Web posting error

1479,179,139Physical Security

1474,696,608Paper

25937,441,939Laptop

270121,881,159Network Security

IncidentsNbr. of RecordsRoot Cause

Root Cause – Sorted by Incident CountTop 10





8925,352,839Insider



1474,696,608Paper

25937,441,939Laptop



The Top ten root causes with the highest number of incidents represents 93% of thetotal number of incidents.

Footnote 1: Bolded items are on the Top 10 list for both # of incidents and # of data records impacted.

Root Cause – Sorted by Nbr. of Records

1,340457,016,826Totals

2?Wireless

280Fax error

2123Programming Error (Backend)

1851PDA

111,821Skimming

13,200SmartPhone

14,000Phishing

911,485Peer to Peer

2117,000Public PC

4435,000Social Engineering




1474,696,608Paper

205,598,145Unknown



8925,352,839Insider



25937,441,939Laptop

1276,296,770Disposal of hardware

14100,073,262Virus



Root Cause – Sorted by Nbr. of RecordsTop 10

205,598,145Unknown



8925,352,839Insider



25937,441,939Laptop

1276,296,770Disposal ofhardware

14100,073,262Virus


IncidentsNbr. of

RecordsRoot Cause

The Top ten root causes with the highest number of records represents 97% of the total number of records affected.


Top 10: Industry – Sorted by Incident Count

2%301,565,290Accounting/Tax/Audit/Payroll

3%354,206,121Insurance

3%442,153,348Other

5%7253,111,224Retail

6%84107,221,847Government - Federal

6%8610,166,092Government - Local

7%90174,682,458Banking

10%13614,993,503Government - State

15%2017,711,609Medical

28%3799,136,254Education

% of TotalIncidents

IncidentsNbr. of RecordsIndustry

*Total of 1,340 reported incidents.

Footnote 1: Industries in red are governed by Federal Law over data privacy, i.e HIPPA for Medical and GLBA for Banking.


Top 10: Industry – Sorted by Nbr. of Records

*Total of 457,016,826 records.


1%6,223,91522Manufacturing

2%7,126,14616Brokerage

2%7,711,609201Medical

2%9,136,254379Education

2%10,166,09286Government - Local

3%14,993,503136Government -State

11%49,784,3279eCommerce - Retail

12%53,111,22472Retail

23%107,221,84784Government -Federal

38%174,682,45890Banking

% of Total RecordsNbr. Of RecordsIncidentsIndustry

Risk Analysis

Top 10 Industries:Incidents with an unknown number of records affected.

3%10Telecomm

3%10Accounting/Tax/Audit/Payroll

6%18Other

6%18Government -Federal

6%19Government - Local

9%28Government -State

10%33Retail

12%38Medical

12%40Banking

15%48Education

Percent of TotalIncidents with

Unknown Number ofRecords Affected

IncidentsINDUSTRY

*Total of 324 incidents with unknown number of records affected.

Banking is highlighted in red to indicate it is an industry that is regulated by Federal privacy law (GLBA). One of the requirements ofGLBA is that the financial institution has an inventory of all non public information (NPI) and adequate security logs to identify whoaccessed NPI and when. This statistic is in essence stating that over the 5 year period there have been 40 reported breaches of GLBA.

Repeat Offenders6% of the organizations in the study had multiple data breaches.

Lost/Stolen laptops topped the repeated data breaches for thesame organization. 48 unencrypted laptops were lost/stolen by the 74 organizations that had

multiple data breaches during the same time period. Of the 48 laptops stolen, one had 28,600,000 records compromised. 4 Organizations had 3 separate incidents of Laptops lost/stolen over the 5

year period. Unencrypted laptops accounted for 37,441,939 (8%) records and 258 (19%)

of all reported data breaches.

IT Management often looks at hard drive encryption as cost per laptop expense.

Perhaps it should be viewed from a cost per customer perspective.(Cost of encryption / # of sensitive data records X # of laptops with sensitive data.)

Top 3 Root Causes by Industry

Education

Network

Security, 36%

Web Posting

Error, 16%

Laptop, 13%

Medical

Laptop, 26%

Paper, 16%

Physical

Security, 13%

Government - State

Laptop, 15%

Web Posting

Error, 13%

Paper, 13%

Government - Local

Web

Posting

Error, 23%

Laptop, 16%

Paper, 13%

Government - Federal

Laptop, 31%Physical

Security,

11%

Network

Security,

11%

You better cut the pizza in four piecesbecause I'm not hungry enough to eat six.

- Yogi Berra

Banking

Network

Security, 27%

Laptop, 16%

Paper, 16%

Trending upwardEmerging Threats?

0

5

10

15

20

25

30

35

40

45

50

2005 2006 2007 2008 2009

#o

fIn

cid

en

ts Paper

Insider

Mailing/Printing Error

Email error

Virus

January 2010 – April 201044% of the incidents are attributed to Emerging Threats

in 2005-2009 Data Analysis

111,444,608100%100%96Totals

27,0000.02%1.04%1Web Coding Error

3,9000%1.04%1Programming Error

2600%1.04%1Peer to Peer

409,2620.37%1.04%1Disposal of Hardware

3,0970%1.04%1Backup Tapes

6,2600.01%3.13%3eMail error

100,009,05389.74%4.17%4Web posting error

3,341,0693%5.21%5Portable Media

9,1740.01%6.25%6Virus

758,2500.68%8.33%8Mail/Printing Error

238,8650.21%9.38%9Laptop

94,4600.08%10.42%10Paper

1,483,4531.33%15.63%15Network Security

17,8200.02%15.63%15Insider

5,042,6854.52%16.67%16Physical Security

RecordsPercent ofRecords

%

Percent of Count

%CountRoot Cause

2009 Actual vs. 2010 Forecasted

20%288231Totals

0%33Web Coding Error

67%31Programming Error

33%32Peer to Peer

0%33Disposal of Hardware

67%31Backup Tapes

-22%911eMail error

-17%1214Web posting error

0%1515Portable Media

39%1811Virus

46%2413Mail/Printing Error

-30%2735Laptop

-30%3039Paper

7%4542Network Security

42%4526Insider

69%4815Physical Security

Projected %Change

(Forecasted)20102009

Root Cause

Could have, Should have, Would have, - Top 10’s

97.39%99.87%% of 5 Year Total

1,305456,443,266Totals for TopRoot Causes:

Web app vulnerability scans, Secure coding program, Ethical Hacks1232,169,060Web coding error

Degaussing and destruction of hard drives; Encryption1276,296,770Disposal of hardware

Timely Patches and up to date AV signatures. AV scanning e-mail. Website contentfilters. Endpoint protection.14100,073,262Virus

Logging and monitoring (At a minimum to identify who, how, and what.)205,598,145Unknown

Encryption299,266,569Backup Tapes

Outbound e-mail filters; e-mail encryption32710,469Email error

QC & Executive signoffs482,566,405Mailing/Printing Error

Encryption8326,677,497Portable Media

Proper vetting of employees and contractors, logging and monitoring and leastprivilege.8925,352,839Insider

QA & UAT1434,533,405Web posting error

Records Management, On-site shredding, imaging/shredding.1474,696,608Paper

Alarm system, badge/bio access, hard drive encryption, locked server racks / PCCabinets, and encryption1479,179,139Physical Security

Hard Drive encryption, physical chain locks25937,441,939Laptop

Timely Patches, Vulnerability Scans, Ethical Hacks, Complex password criteria,Hardened server/device builds, defense in depth, and encryption270121,881,159Network Security

CountermeasuresIncidentsNbr. Of

RecordsRoot Cause

Could have, Should have, Would have, - Bottom 2%

2.61%0.13%

35573,560Totals

WPA, restrict access2?Wireless

???280Fax error

SDLC2123Programming Error

Implement your security program on PDAs1851PDA

Inspection111,821Skimming

Implement your security program on Blackberries, I-Phones, etc.13,200SmartPhone

Security awareness training for employees, contractors, and customers14,000Phishing

Block it911,485Peer to Peer

Endpoint scanner for VPN access2117,000Public PC

Security awareness training for employees, contractors, and customers4435,000Social Engineering

CountermeasuresIncidentsNbr. of

RecordsRoot Cause

Conclusion of the Analysis

Trends from the 5 year study can be used to forecastemerging threats.

The use of encryption in protecting data in transit and at restcan make a security breach a non-event for customers andemployees.

Insider risk has been on the rise. Practice “least privilege” andmonitor insider activities.

If you are not doing the Security 101 things then all otherefforts are a waste.

The best IT Security can be trumped by poor physicalsecurity and poor records management.

Questions???

I wish I had an answer to that because I'm tired of answering that question.

- Yogi Berra

Appendix A - Definition of Root Causes

Network Security – If the description included any of the following terms:hacked, unpatched, server/device misconfiguration, password cracking, defaultsettings/passwords, server, router, firewall, database server.

Laptop – Any mention of laptop, lost or stolen. Paper – Any lost, stolen, or misplaced, ie. placed in dumpster. Physical Security – This dealt with the physical entry of premises and removing

computers and non-portable hard drives. Excludes laptops, paper, mobile media. Web Posting Error – Accidental/unintentional release of information via a

website. Insider – When breach was due to the illegal actions of an employee, consultant,

or student whom had some form of access to the data and abused thesystem/physical access.

Portable Media – CDs, DVDs, USB thumbdrives/flashdrives, external harddrives, floppy disk. He excludes backup tapes.

Mail/Printing Error - Accidental/unintentional release of information viaprinting and/or mailing data. ie. wrong addressee or information printed/viewableon outside of the mailing.


Email Error – Accidental/unintentional release of information via e-mail, ie.unintended addressee, wrong attachment, more data in e-mail than known bysender.

Backup Tapes – unencrypted backup tapes only. Virus – Any malware, virus, Trojan, keystroke logger, spyware. Disposal of Hardware – The discarding or selling computer equipment with

unencrypted hard drives that contain sensitive data. Web Coding Error – Website code inadvertently discloses sensitive data, SQL

Injection, Cross Site scripting, website authentication weakness, etc. Unknown – Organization knew that it had a data breach, but did not know the

cause. Skimming – The copying of data from the magnetic stripe on credit and debit

cards. Peer to Peer – Data disclosure via the use of file sharing software/websites.


Social Engineering – A malicious individual (non-insider) obtained sensitive datathrough trickery.

Fax Error – Data was either inadvertently sent to the wrong fax number, or moreinformation was faxed to the correct recipient than intended by the sender.

Programming Error (Backend) – Any breaches that were as a result of aprogramming issue with a backend processing application or as a result of a batchjob failure.

Public PC – Data breach as a result of data being saved on to Public PCs via e-mail downloads or data residing in temp files.

Wireless – A breach as a result of unsecure wireless transmission beingintercepted, or an individual accessing an organizations wired network as a resultof an unsecured wireless access point connected to the wired network.

PDA – Any breached involving lost/stolen PDAs having sensitive data stored onits hard drive.

Phishing – A breach that involved an individual opening a phishing e-mail/website.

Smartphone - Any breached involving lost/stolen smartphone having sensitivedata stored on its hard drive.

Appendix B – Definition of Industries

Banking – Banks, credit unions, credit card companies, and mortgage companies.

Medical – Doctors, pharmacies, hospitals, clinics.

Insurance – Any and all insurance companies.

Education – Daycare, preschools, public and private K-12 schools, technical/trade schools,colleges and universities.

Government – Local - City, town, county, township, boro, parish governments, and localpolice.

Government – State – Any of the 50 state governments including all state governmentagencies, departments and state police.

Government – Federal – The US Federal government including all Federal agencies,departments, and the military.

Accounting/Audit/Tax/Payroll – Public accounting firms, tax preparers, payroll serviceproviders.

Telecomm – Telecommunications companies including phone, mobile phone, ISPs, andcable companies.

Retail – Retail stores and restaurants

eCommerce Retail – Retailers whom are solely doing business online and have no physicalstorefront.

Brokerage – Stock brokers, brokerage firms, and mutual fund companies.

US Data Breaches Analysis

Technology

Transcript of US Data Breaches Analysis