Handling Goofs Cause Many Data Leaks

Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse.

The question is, How does this information get out there?

Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media.

Other researchers put the figure higher for records that were exposed due to lost or stolen computers or media—security expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent.

Either way, that’s a lot of gear growing legs and walking off. But Litchfield, like other database security experts, is of course primarily concerned with electronic data breaches and how they can be stopped. And many electronic breaches can certainly be stopped, he maintains: He’s found that since Jan. 1, the single largest contributing cause to electronic data breaches is not cyber-thievery or insider malice but simple goof-ups, that is, inadvertent exposure.

Click here to read about how a data breach at TJX Companies turns out to have been more than twice as large as reported.

According to Litchfield, Word documents and spreadsheets mistakenly left on a Web server or indexed by a search engine account for 20.6 percent of the276 breaches, both physical and digital, recorded up until Oct. 23 in 2007 by the Privacy Clearinghouse and by Attrition.org, a data security site run by volunteers.

“This means that a fifth of the breach problem could be solved if companies actively and regularly hunted out such relic documents themselves,” Litchfield said in a Nov. 1 posting.

Another thing to note, Litchfield said, is that while the number of security breaches tracked by groups like Privacy Clearinghouse is nothing to sneeze at, it also vastly underreports the true amount of data exposed in breaches.

“It seems many of the discoveries were made by well-meaning members of the public who found them by accident,” Litchfield said in his posting.

“This indicates that the real number of breaches is considerably higher: Criminals, who we know are actively seeking out such information, aren’t going to inform anyone about what they find. The same is true of breaches due to compromise—the number must be higher.”

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.