Handling Goofs Cause Many Data Leaks

By Lisa Vaas  |  Posted 2007-11-02 Print this article Print

A sizable chunk of business data is being lost electronically in simple misconfiguration mistakes.

Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse. The question is, How does this information get out there? Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media.
Other researchers put the figure higher for records that were exposed due to lost or stolen computers or media—security expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent.
Either way, that's a lot of gear growing legs and walking off. But Litchfield, like other database security experts, is of course primarily concerned with electronic data breaches and how they can be stopped. And many electronic breaches can certainly be stopped, he maintains: He's found that since Jan. 1, the single largest contributing cause to electronic data breaches is not cyber-thievery or insider malice but simple goof-ups, that is, inadvertent exposure. Click here to read about how a data breach at TJX Companies turns out to have been more than twice as large as reported. According to Litchfield, Word documents and spreadsheets mistakenly left on a Web server or indexed by a search engine account for 20.6 percent of the276 breaches, both physical and digital, recorded up until Oct. 23 in 2007 by the Privacy Clearinghouse and by Attrition.org, a data security site run by volunteers. "This means that a fifth of the breach problem could be solved if companies actively and regularly hunted out such relic documents themselves," Litchfield said in a Nov. 1 posting. Another thing to note, Litchfield said, is that while the number of security breaches tracked by groups like Privacy Clearinghouse is nothing to sneeze at, it also vastly underreports the true amount of data exposed in breaches. "It seems many of the discoveries were made by well-meaning members of the public who found them by accident," Litchfield said in his posting. "This indicates that the real number of breaches is considerably higher: Criminals, who we know are actively seeking out such information, aren't going to inform anyone about what they find. The same is true of breaches due to compromise—the number must be higher." Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel