The Identity Theft Resource Center has found that hacking accounted for the largest number of breaches in 2011 year-to-date. Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems.
This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).
Note that these numbers do not include the recent hackings of enormous quantities of email addresses from companies. Email addresses alone do not pose a direct threat as long as consumers realize that they are more susceptible to phishing scams. Phishing scams try to trick readers into providing personal information that can be used for identity theft.
Paralleling the ITRC breach report finding is the recently released Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010. This may partially explain why the ITRC observation of increased hacking has occurred so quickly.
Additionally, a new survey by McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees. ITRC views these as two different types of breaches. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company. However, the insider who intentionally steals or allows others access to personal information is considered a malicious attacker.
“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.
As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft. When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.”
The business community seems to be taking the brunt of hacking attacks, according to published reports of breaches. In fact, 53.6% of all breaches on the ITRC report were business related. The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military,”, and “Medical/Healthcare” all dropped in their respective percentage of reported breaches.
Unfortunately, it is still difficult to ascertain the true cause of many breaches due to entities publicly stating “the information was stolen” or “due to theft.” Additionally, nearly half of breached entities did not publicly report the number of potentially exposed records. Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.
This was probably due to mandatory reporting by HHS. Since other entities do not have that type of requirement, it is likely that entities in other categories also had breach events with large record exposure numbers that went publicly unreported.
No conclusions can be drawn yet about how this year will compare to prior years. The one thing that is consistent, year after year, is that data breaches will occur. These events are outside the realm of consumer control. Due to our individually broad electronic “footprints”, our Social Security numbers and financial account numbers are in a vast pool of information that can be breached.
The responsibility for protecting this personal identifying information is fully on those who request and store it. All entities that collect personal information need to understand and embrace the concept that only they can safeguard our information and that this safeguarding must be an urgent priority.
Not only are hackers winning, but so are the thieves who steal unattended laptops and dig into dumpsters behind companies for paper data. Breaches just don’t happen, they are allowed to happen. ITRC will continue to track, analyze and report on the situation of breaches of personal information.