The Green Sheet Online Edition
January 24, 2011 • Issue 11:01:02
PRC reports data breaches increase in 2010
Statistics from the Privacy Rights Clearinghouse, a nonprofit consumer organization, reveal a total of 181 data breaches were made public in 2010 by financial services, insurance and retail businesses, with approximately 6.4 million records compromised as a result.
The number of reported breaches within these sectors grew from 37 in 2009 to 181 in 2010, although the number of records affected was much higher in 2009 (135.1 million) than in 2010, largely due to the massive data breach reported by Heartland Payment Systems Inc. in 2009.
Of the 181 breaches reported in 2010, 95 were experienced by financial and insurance businesses, affecting a total of 6.3 million records, while the 86 breaches suffered by retail merchants involved only about 58,264 records.
Causes of breaches
In addition to industry classifications, PRC categorizes the breaches according to the cause of data loss, including unintended disclosure, theft by insiders, hacking or malware, payment card fraud, physical loss of equipment, and others.
Compromising the greatest number of records (3.8 million) were 23 breaches stemming from lost, discarded or stolen portable devices (including laptops, personal digital assistants, smart phones, portable memory devices or storage media). For 2010, PRC figures also disclosed 43 hacking and malware attacks affecting 249,320 records and 12 reported cases of payment card fraud impacting 25,244 records.
The data accumulated by PRC does not necessarily reflect the actual scope of the problem. Not every state requires reporting of breaches (although the majority do). In many cases, the data reported is incomplete or is difficult to quantify because the exposure is ongoing. In addition, a single massive loss of data can skew the overall statistics significantly, making spotting trends difficult from one year to the next.
"We still have structural problems in the industry where reporting is often voluntary, or even if it's not optional, it's sometimes not performed," Tim Cranny, Chief Executive Officer of Panoptic Security Inc., pointed out. "The people trying to put these statistics together and look at trends are looking at blurry information with a lot of the good stuff missing, and only partial visibility and partial insight. So it's dangerous to try and do a simplistic, year-to-year comparison."
Two trends Cranny has observed, based on his tenure in the industry, are the increasing sophistication of hacker attacks and the increase in number of attacks on smaller businesses. The hackers "started off focusing on big players first, and then, as the security industry matures, many of those bigger players are doing a better job of protecting themselves and protecting consumers," he said. "What that means is that there are fewer whales to hunt, but that doesn't mean the bad guys just give up." Smaller merchants are increasingly becoming targets because of their vulnerability, Cranny noted. "The smaller players are often less security conscious, and they don't have the same tools and resources," he said.
"So they are falling behind in terms of their ability to protect themselves. What that means is that there is a trend emerging where the bad guys aren't necessarily trying to get a million records in one fell swoop. They might do that, but they also might try a thousand different places and try to get just a thousand records from each."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.