Data Security Breaches in Businesses
No matter what term you use (cyber attacks, hackers, data thieves, etc.,) data security breaches are costing businesses millions of dollars a year. As new security statistics regarding data security breaches are discovered, we will post them here.
TED Video: Misha Glenny – Hire the hackers!
Causes of Online Data Security Breaches
- Companies that use simplistic password assignment policies are targets of identity theft. Often people duplicate passwords and use them for multiple accounts, making identity theft quick and easy.
- 85% of all U.S. companies have experienced one or more data security breaches.
- Most employees do not password-protect or encrypt their data files which contain clients’ personal and vital information like social security numbers, drivers license, addresses, names, date of birth, bank accounts, 401K, credit cards numbers, school history, etc.
- Corporate sharing of personal information with third parties violates compliance with a large number of laws and regulations if it happens without the individual’s consent.
- Companies and organizations frequently become victims of data breaches through phishing and spear phishing e-mails. Within these emails are attachments that contain malware and viruses.
- Massachusetts has received about 2,200 notification letters from companies reporting lost or stolen personal data in the nearly four years since the law was passed — affecting a whopping 5 million Bay State residents, with some amount of overlap in the identities, according to Barbara Anthony, head of the Massachusetts’ Office of Consumer Affairs and Business Regulation.
- Harry Sverdlove, chief technology officer at Bit9, warns that for every breach we hear about, there are at least 100 that we don’t hear about of equal or greater impact.
- Many IT managers are concerned that most insider attacks go undetected because appropriate authentication was used. But many time weak authentication practices are used.
- A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
- In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
- An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
- The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
- The owner of a farm equipment store plead guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.
Statistics on Data Security Breaches
- In a Ponemon study, adult-aged participants who were laid off, fired, or between jobs found that 67% of respondents “used their former company’s confidential, sensitive or proprietary information to leverage a new job.” Plus, approximately 68% planned to use email lists, customer contact lists, and employee records that they took from their employer.
- Other key findings from Ponemon that puts customer and other confidential information at risk for a data breach, companies’ competitiveness and future revenues.
- Employees are more likely to take data when they don’t trust their employer
- Employees are taking proprietary and confidential data that might affect their former company’s business competitiveness and could result in a data breach
- The most susceptible documents to theft are email lists and hardcopy files
- Employees leave their laptops but take CDs, USB memory sticks, and PDAs
- Employees were able to access their former employer’s computer system or network after departure
- Stats from Leaking Vault 2011 report from Digital Forensics Assoc.
- Studying 3,765 publicly disclosed data breach incidents from 33 countries between 2005 – 2010
- Over 806.2 million known records disclosed
- On average,over 388,000 records per day, or 15,000 records per hour every single day for the past six years
- The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. It’s a low estimate because 35% of the incidents did not release the number of records lost
- Average cost per individual record lost is now +$209
- Hacking accounted for 48% of the lost records.
- 65% of the cases disclosed a person’s name, address and Social Security Number
- 16% disclosed medical information
- 15% of the incidents disclosed Credit Card Numbers
- Criminal use of the data increased by 58% from the prior report
- Of the 3,765 incidents in the study, 719 involved laptops. In 96% of these incidents were stolen laptops . Overall, the laptops accounted for 45,500,147 records in the study.
- According to a 2010 report, the annual cost of a data breach is $215 per record or $7.2M per incident. – Ponemon Institute, 2010
- Every time a corporate secret is disclosed to agents or competitors it cost the organization $1.3M. – Ponemon Institute 2011
- According to a study in 2003 from the Federal Trade Commission, one-third of identity theft victims had their personal information misused for credit card fraud.
- According to a study from the Identity Theft Resource Center in September 2003, the average time spent by victims restoring their identity is about 600 hours, an increase of more than 300 percent over previous studies.
- A HIPAA violation is costing approx. $15,000 per record stolen. – Mass. General Hospital’s fines.
- Since 2005, more than 500M U.S. records have been compromised just from reported breaches. – Privacy Rights Clearinghouse, 2010
- 81% of respondents reported a security event in the last 12 months, compared to 60% in 2010. – CSO Magazine, 2011
- In 2010, 31% of data breaches were from malicious attacks. Compared to 24% in 2009, 12% in 2008. – Ponemon Institute, 2011.
- According to a 2009 e-Crime Watch survey of 523 organizations, 51% had experienced an insider attack