Frequency of Incidents and Types of Industries Involved
In 2007, 330 separate data breach incidents were reported to the Privacy Clearinghouse. A majority of these incidents (29%) involved educational institutions, although municipal, state, and federal governmental agencies reported a similarly high frequency (26%). Health-related organizations (e.g., hospitals and health insurance companies) reported significantly lower occurrences of unauthorized disclosure (16%), and financial services had the lowest frequency of any industry (7%). Other private businesses, such as retail stores, experienced slightly lower numbers of breaches (22%) than government.
Causes of Breaches
The major reported cause of security breaches was lost/stolen equipment; forty-four percent of all incidents involved missing or stolen equipment containing sensitive information (e.g., Social Security numbers, credit card numbers, names and addresses, account numbers). The second most frequently reported cause of unauthorized disclosure was inappropriate access to personal data via the Internet (17%). A third cause, hackers, was responsible for 15% of the breaches. Careless disposal of paper records containing sensitive personal information (such as the disposal of unshredded account statements in dumpsters) accounted for 12% of reported incidents. Accidental disclosure of data (for instance, the mailing of billing statements to incorrect addresses of persons) accounted for 7% of breaches. Information purposefully stolen by current or former employees (“malicious insiders”) accounted for 5% of the reported incidents, representing the least frequent cause of breaches.
Because lost/stolen equipment represented by far the major cause of security breaches, it seemed useful to subject this information to further scrutiny. Most of the stolen equipment (58%) consisted of laptops removed from offices or parked cars. Personal computers pilfered from offices represented the second most frequent source (23%), followed by stolen hard drives (8%). Other types of lost/stolen equipment included flash drives, magnetic tapes, CDs, servers, and miscellaneous “storage devices”; however, these media together comprised only 11% of all lost/stolen equipment.
In some instances, the Clearinghouse database describes the conditions under which equipment was stolen. For example, a report may indicate that a laptop was taken from a “professor’s office” or from a “consultant’s parked car.” Based upon these descriptions, it is possible to infer that 10% of equipment was stolen by employees of the organization or institution owning the equipment; however, 90% of the thefts appear to have occurred outside the organization.
Popularity: 1%
One Comment
Why use PRC for the data when they get their data from Attrition.org’s DataLoss project?