This summary report will provide a broad overview of public sector and private sector data breach incidents in the United States. The report aims to better educate readers on the extent of the attacks, what vulnerabilities and specifics allow for these attacks, and finally to explain the consequences of these attacks. It should be noted that while many institutions are required to report data breaches, not all attacks are accounted for publicly or are even discovered internally. As the reported numbers and actual number of incidents continue to increase it becomes increasingly important to study past incidents in order to prevent or limit future data breach attacks.
Extent of the Problem
Who is being victimized?
Identity theft can be targeted; however, in most cases the attacker’s goal is to obtain data that will result in monetary gains. For example, useful information gleaned from an attack would allow an attacker to obtain credit cards or other financial devices using a victim’s identity. According to the data provided by the Privacy Rights Clearinghouse , a large percentage of the attacks occur in educational institutions and within government agencies. Attacks likely occur within educational institutions because they are easy targets; they tend to encourage open access, there is a not a high degree of peer accountability or monitoring, and students are not typically known for their maturity or attention to detail. Government agencies, such as the U.S. Dept. of Veteran’s Affairs (which has been victimized many times at several locations), are also popular targets because their databases will include a broad cross section of individuals and may possess records on individuals which could be blackmailed for the purpose of obtaining classified information. Other large percentages of the attacks include hospitals and financial institutions. The reason for their common occurrence can be attributed to the high (financial) value of their data, and reporting requirements such as the Red Flag Rule . Other victimized databases include retailers, schools, and various other types of organizations across a wide spectrum of society.
What personal information could be stolen as a result of the attack?
The information available in the accessed records varies by the institution and the type of database. In large part, the data consists of names and addresses and more sensitive data such as social security numbers, banking information, and health records. The data available from the Privacy Rights Clearinghouse confirms that such sensitive information has been breached and could potentially be used for identity based crimes . Other information would vary by industry such as adoption and donation records, or may simply indicate affiliation or membership with some organization. The value of the data may be known ahead of time, or the attacker may later attempt to create value from the information he has already obtained.
Frequency of Attacks
The number and frequency of attacks reported by the Privacy Clearing house is very high . If one were to quickly skim the report, he would see that there is an attack almost every other day. However, the steady increase in attacks may only indicate increased reporting of incidents, and does not directly imply that attacks are on the rise. In general, most of the attacks seem to be isolated incidents or at least do not seem like mass coordinated attacks by a large group at any given time. For example, attacks on three Universities were reported on 14 July 2006, but their circumstances were unrelated. The only target which seemed to have a high volume of attacks was the U.S. Dept. of Veteran’s Affairs, which was known for its lax control and management of its information systems .
Categorization of Attacks
A 2006 report from the Federal Reserve Bank of Philadelphia describes three broad categories of attacks . These categories do not represent the “how”, but the “where” information breaches occur. The first is “data at rest”, which is data stored on internal computers or other media. The next category is “data in transit”, which refers to information that traverses a computer network and may not be encrypted. The third is “data in travel”, which refers to data stored on portable devices and media such as laptops, PDAs, and thumb drives. The most commonly publicized category of attack is “data in travel” and includes stolen or lost devices and media which contain sensitive data but often seems to include no physical or technological protections. As encryption becomes more commonplace “data in transit” attacks should hopefully diminish. The most troublesome category is “data at rest” because this data is vulnerable to insider attacks which are often the hardest to discover.
Types of Attacks
There are many reasons that data breaches occur. Some breaches are the result of calculated and target attacks, other attacks are designed in order to steal large quantities of personal records, and a great portion of the attacks can be traced back to negligence or incompetence. Examples from the Privacy Rights Clearinghouse include theft of laptops or thumb drives from the institutions or off site locations, intentional hacking, and deceptive attacks such as phishing and redirection attacks . Other incidents result from logic errors in processing and other information systems, which resulted in accidental exposure. In the case of Pfizer, and likely many unreported cases, information was put at risk through the usage of peer-to-peer file sharing applications which likely shared the data without the user’s knowledge.
Magnitude of Attacks
The magnitude of the attacks can be difficult to measure because any given individual may be the victim of multiple attacks, depending on affiliations and which databases an individual’s information is stored in at any given time. As of the time of writing (13 February 2009), there have been close to 252,500,000 user records which were vulnerable to some attack since 2005 . It should be noted that this number is not based on a precise number of affected records, as some attacks are not reported or may not be included in the data set available from the Privacy Clearing House. In reality, the number of records compromised is likely much higher. It should be noted that at the time of writing, there are currently about 305,800,000 people in the United States . This comparison does not imply that over half of Americans have been victimized by an attack or that any significant percentage of the population has suffered significant loss or exposure as a result of these incidents. However, it does indicate that within only a short period of reporting that many records have been attacked and that the possible number of victims is growing. As the number of attacks begins to eclipse the population, the likelihood of any randomly selected individual being affected will increase as the attacks are not limited to one specific set of data or institution.
Consequences of Data Breaches
Effect on Victims
Sometimes the data breaches do not result in any damages or damages that will not be immediately noticed. For example, when devices such as laptops or thumb drives are stolen it is often for the hardware, the data is usually not of any value to the attacker. However, in a great number of data breaches, the data is used to commit identity based crimes. For example, one data breach at the University of Virginia resulted in a professor.s credit being destroyed by a thief amassing debt under his identity . Financial crimes are the most likely to occur since the pay off for criminals is high relative to the attack cost. Other consequences could result in discrimination (insurance discrimination through private health data) or blackmail (threaten to reveal personal information or threaten to discredit an individual) which could lead to many different problems for individuals. Some organizations do offer to help victims after an attack through credit monitoring or credit restoration assistance .
Consequences and Repercussions on Organizations
The cleanup from a data breach can be very costly and embarrassing. In some cases there is mandatory incident reporting. In addition to reporting the incident, the organization should contact those individuals that were affected by the incident and notify them that they may be at risk. In some cases, law enforcement must be called in to do a thorough investigation of the incident. For example, one firm had to call in the expertise of the US Secret Service as well two forensic breach investigation teams to find the root cause of the problem after a breach was discovered . While sometimes the cause and modus operandi of an attack are obvious such as a stolen laptop, in many cases it could take a very long time to track down the vulnerability or practice which allowed for the attack to occur. While the upfront costs to protect customers may seem high, the costs to clean up the mess from the incident can cost the organization larger sums of money and time. Many incidents have resulted in law suits and other legal action by those whose privacy was breached as a result of an attack according to the Privacy Rights Clearinghouse . Some organizations will also incur additional costs by offering victims credit monitoring and may provide assistance in repairing or rebuilding credit. Fines could be levied by government authorities in some cases, and some business-to-business relationships can also result in fines, for example Visa fined Fifth Third Bancorp $880,000 for its role in the breach of TJX Companies. Data breaches are very hard to deal with because they usually occur out of negligence or insufficient attention to security measures. As a result, the diagnosis and solution are often not easy to find. Instead of incremental improvements, the aftermath of a breach usually results in an organization spending a large sum of money very quickly in order to recover. If they do not, they are likely to be repeatedly victimized, which can result in more fines, lose of customers, or the inability to operate normal or being forced to permanently cease operations.
Privacy Rights Clearinghouse. A Chronology of Data Breaches. Privacy Rights Clearinghouse. [Online] February 10, 2009. [Cited: February 13, 2009.] http://www.privacyrights.org/ar/ChronDataBreaches.htm#9.
108th Congress. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003. US Government Printing Office. [Online] 2003. [Cited: February 13, 2009.] http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ159.108. Public Law 108-159.
Lemos, Robert. Veterans Affairs warns of massive privacy breach. SecurityFocus. [Online] May 22, 2006. [Cited: February 13, 2009.] http://www.securityfocus.com/news/11393.
McGrath, James C. and Kjos, Ann. Information Security, Data Breaches, and Protecting Cardholder Information: Facing Up to the Challenges. Payment Cards Center, Federal Reserve Bank of Philadelphia. Philadelphia, PA : Federal Reserve System, 2006.
U.S. Census Bureau, Population Division. U.S. and World Population Clocks. U.S. Census Bureau. [Online] February 13, 2009. [Cited: February 13, 2009.] http://www.census.gov/main/www/popclock.html.
Foster, Andrea L. Increase in Stolen Laptops Endangers Data Security. The Chronicole of Higher Education. [Online] July 4, 2008. [Cited: February 13, 2009.] http://chronicle.com/free/v54/i43/43a00103.htm.
Krebs, Brian. Payment Processor Breach May Be Largest Ever. The Washington Post. [Online] January 20, 2009. [Cited: February 13, 2009.] http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html.