Lest you thought that the pace of newly reported data loss incidents had slowed down — perhaps driven by greater awareness, improved security or tighter compliance regulations — the latest numbers published by the Identity Theft Resource Center tell an entirely different story.
According to the ITRC’s October 2008 report, (PDF) publicly reported data breaches have now reached an all-time high. The watchdog group said it has charted 516 such incidents, or an average of 57 breaches per month, over the first nine months of 2008. That compares with 446 breaches during all of calendar 2007, the previous record-breaking data loss annum.
Of course, even ITRC admits that there are likely far many more data loss incidents that stay unreported. So, it would appear that we are indeed living in the golden era of the breach, despite all that’s been done to augment security controls.
At its current pace, we should be on track for a grand total of 650 data breaches in 2008, according to ITRC’s numbers.
In terms of vertical orientation, businesses are having the highest number of incidents, accounting for 36.4 percent of the events this year, up from 28.9 percent in 2007.
Perhaps due to stronger regulation, the government sector has seen its numbers drop, accounting for only 15.7 percent of all breaches compared with as much as 30 percent two years ago.
However, in the health and medical field, where HIPAA (Health Insurance Portability and Accountability Act) has been touted as a major game-changer, totals have still risen, accounting for 15.1 percent of incidents in 2008, up from 13 percent in 2006.
Some other pertinent 2008 stats reported by ITRC included:
-Some 58.2 percent of breach victims have published the number of records involved in their incidents, while 41.9 percent did not, making it hard to draw conclusions regarding the overall number of records exposed.
-Of the incidents reported that did include record counts, there have been roughly 30 million total records exposed.
-To date, electronic data breaches account for 81.2 percent of reported incidents and paper breaches represent 18.8 percent.
-Reports of insider theft and hacking combined indicate that about 30 percent of breaches are the result of malicious attacks, not counting other unauthorized access.
-Poor information handling practices and accidental exposures accounted for 34.4 percent of the data breaches.
Some conclusions?
Well, it would seem to follow that compliance mandates have not yet had their full effect, as evidenced by the vertical figures. And it seems that both poor security controls and a lack of policy enforcement remain equally to blame for the continued breach epidemic.
And then there is the whole issue of public awareness, as typically we tend to assume that the more we talk about some issue such as data security and become concerned with it, the better the environment surrounding it will become. And it hasn’t; in fact, it’s just getting worse.
There’s clearly a lot more that needs to be done.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.