21
InfoWatch Research Center Global Data Leakages & Insider Threats Report, 2012
InfoWatch Research Center
Global Data Leakages
& Insider Threats
Report, 2012
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
2
Table of Contents
Executive Summary .................................................................................................. 3
Key Facts .................................................................................................................. 4
Conclusions & Trends ............................................................................................... 5
Methodology ............................................................................................................. 6
Statistics ................................................................................................................... 7
Accidental and Intentional Leaks .............................................................................. 8
Leak Sources ............................................................................................................ 9
Personally Identifiable Data .................................................................................... 13
Leak Channels ........................................................................................................ 14
Leaks by Region ..................................................................................................... 16
Typical data leaks in 2012 19
Conclusion ............................................................................................................ 221
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
3
Executive Summary
InfoWatch Research Center bring you the latest annual report on worldwide information leaks recorded and reported in the media during 2012.
It is the first time that analysts face the situation that the picture is different for different industries. Against the general background, banks, insurance companies, and telecom operators stand out: In these industries, the proportion of accidental leaks is steadily decreasing. With some slight reservations, this picture applies across the whole commercial sector.
The year 2012 can be named the year of leaks from governmental organizations. There has been a noticeable increase in the proportion of leaks that emanated from government sources, demonstrating the issue of insufficient attention to information security. There is a second, still more obvious, cause: the mass use of mobile devices (smartphones, laptops, and tablets), for which information security teams within government and municipal organizations around the world were clearly not prepared.
The study confirms the previously forecast overall downward trend in accidental leaks across the world. On the one hand, this is due to the increased popularity of information security solutions, and to the specific features of these systems that make them particularly effective against accidental leaks.
The prevalence of information security systems (Gartner suggests that around a third of companies are already using DLP) is contributing to the reduction in only one side of the problem – accidental leaks, which, however, has no impact on intentional leaks. The point is in the tendency to perceive DLP systems as software, capable of preventing leaks on its own without any intervention from the information security team. This is completely wrong. While DLP systems can adequately handle accidental leaks, preventing intentional leaks requires a significant consulting element as part of the DLP solution, in terms of developing, introducing and supporting systems to investigate incidents.
In the near future, we can expect changes in the way that DLP systems are perceived and implemented, from the point of view of both vendors and clients. As a result, the information security consulting sector will develop, with a consequent improvement in the information security culture of companies that use these systems.
In this case, it is possible to forecast that over the next 3–5 years, there will be a reduction in 'typical' incidents – 'inexpensive' accidental and intentional leaks.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
4
Key Facts
In 2012, 934 confidential information leaks were recorded and reported in the media worldwide. This is a 16% increase compared with the previous year.
According to official media reports, direct losses suffered by credit and financial institutions as a result of leaks during the first half of 2012 amounted to slightly more than $37.8 million.
More than 1.8 billion records were compromised, including those containing financial and personally identifiable data.
The proportion of accidental leaks is steadily decreasing, representing 38% of the total.
Government and municipal organizations accounted for a higher share of leaks at 29% (9% higher than in 2011).
The majority of leaks – 89.4% – involved personal data.
The most common channel for data leaks was hard copy documents (22.3%).
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
5
Conclusions & Trends
For the first time in our research work, we have faced the total impossibility of assessing the full extent of the damage caused to companies as a result of leaks. According to public sources, avowed losses amount to $37.8 million. However, this only represents direct losses, and the figure does not take account of expenditures for legal investigations, mailing notification letters, auditing and restructuring information security systems, etc. It is clear that if these costs were included, the figure for losses would be much greater. Furthermore, when we consider that known leaks represent only a fraction – just a few percent – of total losses, then this figure must be multiplied 30–50 times. The conclusion must be that we are seeing phenomenal losses – in the tens of billions of dollars.
The problem is that actual total losses can fluctuate widely within this range, and any attempts to pin them down more accurately have been doomed to failure. Therefore, from 2012, InfoWatch experts have opted not to provide a figure for total losses; however, it is essential to point out the overwhelming increase in financial losses.
A second consideration worth noting is the shift in the position of commercial companies with regard to incidents that have occurred. Increasingly, companies are not only not covering up incidents that occur, but are consciously cooperating with detailed investigations of incidents and seeking to punish the perpetrators. Strangely enough, this actually has a positive effect on their image.
A third, but no less important, factor is the increasing 'specialization' of data loss prevention systems for accidental incidents. It is already worth considering replacing technological approaches with the creation of systems where information is protected equally effectively from both accidental and intentional leaks. To achieve this, it is the data itself that must be at the center of security efforts, not communications channels or infrastructure. Information must be identified and monitored regardless of its physical location – in other words, whether it is stored locally or on the global network. This is a whole new challenge for the DLP sector.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
6
Methodology
The report is based on InfoWatch's own database, which its experts have been updating since 2004. InfoWatch's database of leaks includes incidents (information leaks) which have occurred in organizations as a result of the inadvertent or intentional actions of their employees, and which have been reported in the media or other publicly available sources (including blogs and web forums).
This means that the study only includes a small (no more than 1–5%) proportion of the actual leaks that occurred worldwide. Nonetheless, the fact that the key indicators have remained stable allows us to conclude that the report is representative First, there have been no sharp changes in the distribution of parameters (types of leak, leak channels, etc.) for the available sample from year to year; and secondly, the majority of changes that did occur were predicted in advance.
Consequently, it is possible to conclude that the trends observed in the sample of public incidents are replicated across the set of leaks as a whole, both those that are reported and those that remain secret.
Currently, InfoWatch's leak database includes several thousand recorded incidents. For each leak, the date of the incident and the date it was reported in the press are recorded.
Cases in which confidential information was compromised as a result of an external computer attack or other information security incident (DDoS, phishing, and others) are not included in the report.
The classification and registration of incidents in the database is carried out on the basis of analysis conducted by InfoWatch staff. As part of the database auditing process, each leak is assigned various attributes (type of organization, area of activity, type of leak, financial damage) and metrics (channels, type of data leaked). These allow us to gain an impression of the scale of the leak that has occurred, to analyze the possible reasons behind the incident, and predict what the consequences will be.
Information regarding direct damage and the number of records compromised is taken directly from press reports.
We do not carry out a detailed expert analysis of the full losses experienced by companies involved in information security incidents, or their responses to incidents, in order to avoid speculation over exact figures for indirect losses.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
7
Statistics
In 2012, InfoWatch recorded 934 confidential information leaks, a 16% increase over 2011 and 2010 (794 and 801 incidents, respectively). This is an average of 2.5 leaks a day, or 75–80 per month.
The last similar leap was recorded in the 2009 report. Then, compared with 2008, the number of leaks had increased by 40%. This was due to companies and governments paying less attention to information security as a result of the recession.
Fig. 1 Information leaks distribution, 2006–2012
Conversely, the current increase can be explained by the increased attention being paid by regulators, government and other interested parties to the issue of data security. It is no secret that in other countries, every incident involving a leak of citizens' personal data provides grounds for prosecution of those responsible. This is why victims and their lawyers readily make public incidents related to the violation of established handling and storage procedures for sensitive information. Their aim is to increase compensation payments. As a result, the number of leaks reported in the media has naturally gone up.
On the other hand, regulatory authorities are also actively distributing information about leaks. This is typical in the US, where details regarding information leaks are periodically made public by district attorneys, in the form of press releases.
Conclusion:
The prediction InfoWatch made last year – that the number of leaks would stabilize – has not been proved correct. This is due to the increased attention being paid to the issue of information security by all involved in the process, with government and industry regulators playing a particular role. Unfortunately, this is so far happening to a greater extent in Western countries than, for example, in Russia.
2006 2007 2008 2009 2010 2011 2012
Number of leaks 198 333 530 747 794 801 934
0
100
200
300
400
500
600
700
800
900
1000
2006
2007
2008
2009
2010
2011
2012
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
8
Accidental and Intentional Leaks
The balance between accidental and intentional leaks is more or less the same as it was last year. The trend, which we predicted two years ago, toward a decrease in the proportion of accidental leaks as the use of DLP systems became more widespread, is becoming increasingly clear. This is particularly true for industries that have had a traditional focus on protecting information – banks, financial institutions, the telecoms industry, government authorities (in banks, inadvertent leaks account for barely 20% of incidents – see Global Data Leakages in the Banking Sector (Financial and Credit Institutions) for the First Half of 2012).
Analysts at InfoWatch have noted that the introduction of security measures has an impact on the ratio of accidental to intentional leaks. The existing tools available on the market are more effective against accidental incidents than against intentional leaks. It is evident that the percentage of accidental leaks has dropped significantly: Such leaks made up just 38% of incidents in 2012. Against this background, the proportion of intentional leaks has increased to 46% (the proportion of leaks of unknown provenance has not changed significantly, standing at 16% in 2012).
Fig. 2 Accidental and intentional leak distribution, 2011–2012
In many incidents, it is impossible to determine whether a leak was accidental or intentional. This is especially true in cases in which mobile devices—specifically laptops, PDAs and flash drives—are lost. It is not always clear whether the device was lost or stolen. In the case of a confirmed theft, it is not always possible to ascertain whether the target was the device itself or the information stored on it.
Moreover, not all sources of information about leaks contain detailed information about the devices involved. Many media organizations simply do not consider it as significant. It is therefore becoming more difficult to accurately determine whether a leak was intentional, and therefore the number of 'unspecified' cases has changed little from year to year.
The ratio of accidental to inadvertent leaks is shown in Fig. 3. It is worth noting that in 2012, we observed a significant increase in the number of accidental leaks compared with the number of inadvertent leaks. The last time we saw a similar trend occurred in 2009.
43%
42%
15%
2011
Accidental Intentional
Unspecified
38%
46%
16%
2012
Accidental Intentional
Unspecified
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
9
The similarity in the figures can be explained by the sensitivity of inadvertent incidents to the introduction of DLP systems. The year 2009 just inherited the success of 2008 (the first wave in the mass introduction of DLP systems). Last year's results indirectly confirm the beginning of the second wave of popularity of DLP systems. As noted earlier, the trend is most clearly noted in industries that are 'early adopters' of information security tools, such as the banking and telecoms industries. In these sectors, the number of accidental leaks is much lower in comparison with the number of intentional leaks.
Fig. 3 Accidental and intentional leak distribution, 2006–2012
Conclusion:
Since 2008, the ratio of accidental leaks to intentional leaks has changed. The decrease in the proportion of accidental leaks in 2012 marks the beginning of a trend predicted by analysts and linked to the widespread use of DLP systems.
Leak Sources
As a result of the laws concerning the protection of personal information which have been widely adopted in many countries, almost all organizations that handle personal data belonging to their customers or that have a large number of staff should take measures to protect this information.
In fact, commercial companies have taken a very serious approach toward protecting information (they were responsible for 41% of incidents, 5% fewer than last year), as have educational organizations (whose share has fallen by more than half to 16%). Government organizations have proved much worse at protecting information – the proportion of incidents occurring at these organizations grew by 9% compared with 2011.
2006 2007 2008 2009 2010 2011 2012
Intentional 237 295 223 382 334 344 430
Accidental 96 38 242 325 420 336 352
Unspecified 0 0 65 40 40 121 152
0
50
100
150
200
250
300
350
400
450
500
Intentional
Accidental
Unspecified
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
10
Fig. 4 Accidental and intentional leak distribution, 2011–2012
It is notable that the drop in the number of leaks from commercial and educational organizations is also evident in quantitative terms (see Fig. 5).
Fig. 5 Information leaks by source type, 2006-2012
Turning our attention to the distribution of inadvertent and intentional leaks in commercial companies (Fig. 6), there are several points worth noting.
Banks account for the highest number of intentional leaks (22% of all intentional leaks) but almost none of the accidental leaks (just 4% of the total).
At the same time, medical institutions have seen both accidental leaks (61% of all inadvertent incidents) and intentional leaks (a third of the total).
45%
20%
31%
4%
2011
Commercial
Government
Educational
Unspecified
41%
29%
16%
14%
2012
0
100
200
300
400
500
600
2006 2007 2008 2009 2010 2011 2012
Commercial
Government
Educational
Unspecified
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
11
Retail companies do not account for a significant proportion of either type of leak.
Fig. 6 Accidental and intentional leak distribution in commercial companies, 2011–2012
Looking carefully at the changes in the distribution of leaks by main source, the proportion of total accidental leaks that occurred in commercial companies has changed very little (around 37%), while the proportion of intentional leaks occurring in companies has gone down.
Fig. 7 Accidental and intentional leak distribution by organization type, 2011–2012
The year 2012 was the year of leaks from government and municipal organizations. Government institutions were responsible for an increased proportion of both intentional and inadvertent leaks. Clearly, this is linked to the understandable delay in introducing DLP technologies in bureaucratic organizations. At the same time, government officials use
4%
61% 9%
26%
Accidental
Banks and financialorganizations
Medical
Retail
Telecommunications
Other
22%
33%
2%
7%
36%
Intentional
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Accidental2011
Accidental2012
Unspecified
Educational
Government
Commercial
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Intentional2011
Intentional2012
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
12
personal mobile devices as much as those working in commercial organizations. The concept of BYOD is also alive and well in government departments. However, a poor information security culture and the failure to develop an adequate internal usage policy for mobile devices in particular creates the perfect storm for a rise in the number of both intentional and accidental leaks (which is, in fact, what has happened).
Conclusion:
The data quoted for commercial organizations (particularly the industry breakdown) confirms the theory that there is a link between the increased popularity of DLP systems and the reduction in the number of accidental leaks. This makes the issue of intentional leaks and ways in which this aspect of information security can be resolved all the more pressing. In essence, it means that a new approach to protecting information and DLP system requirements should be developed immediately.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
13
Personally Identifiable Data
As before, the lion's share – 89.4% – of all leaks involved personal data (last year's figure was 92.4%).
Fig. 8 Leak distribution by data type, 2011.
The fact that leaks of personal data account for such a high proportion of the overall total is partly due to legal requirements concerning the publication of information about incidents involving such leaks. Another factor is that this type of readily available personal data is of interest to a wide circle of criminals, as it can be sold on the black market. Commercial and government secrets are generally leaked intentionally. Currently, incidents become large-scale where data is readily available, and can be sold for money to a wide circle of buyers.
It is particularly surprising that in 2012, a range of incidents were recorded in which commercial and government secrets featured directly as the object of the infringement. In the majority of incidents, publicizing the leak of a commercial secret was generally the result of a wish by the victim to subject the incident to legal investigation. In most countries, theft of commercial secrets falls under either administrative or criminal legislation. As a result, companies that have fallen victim to an intentional leak seek to punish those responsible (whether they are staff or outside criminals) with the full force of the law.
Conclusion:
One of the key ways to combat intentional theft of secret information is to make it harder to sell so that stealing such information becomes unprofitable, and to strengthen the legal framework. If this is done, infringements of this data could decrease significantly.
89,4%
6,0% 4,1% 0,5%
Type of leak
Personal data
Commercial secret
State secret
Unspecified
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
14
Leak Channels
A leak channel is a parameter that has a direct practical application. Depending on the frequency of leaks via various channels (i.e., devices), it may be possible to plan the introduction of security measures, as well as to define priorities: which channels need to be dealt with first. Aside from statistical data, however, it is necessary to take into account the nature of the organization's work and which measures and tools are most commonly used to transfer information, and focus on defending and monitoring those.
Fig. 9 Distribution of leaks by channel, 2011–2012
Taking into account the increased popularity of DLP systems, we can expect a fall in the proportion of leaks occurring via traditional channels (in particular, those in which technical security measures are the most effective). As we can see, this holds true for the general distribution. The proportion of web leaks has dropped by half to 6.7% of incidents, and there has been little change in the share of incidents involving PCs (+1%), removable storage, (a drop of 0.2%) and e-mail.
The most significant change was recorded in the number of incidents involving hard copies. Oddly enough, it is organizational procedures which are the weak point in information security today. In 2012, this type of leak increased by a further 3%, accounting for 22.3% of all leaks.
Incidents in which information was leaked by e-mail and published accounted for 6.3% of all leaks. This channel, as well as the web channel, is the most popular channel for the distribution and transfer of information. A large number of e-mail leaks in previous years (2007–2009) meant that companies started to monitor this channel very carefully. As a result, a decrease in the number of e-mail leaks is now being witnessed; however, of
16,2%
9,6%
13,9%
6,2%
13,6% 6,2%
19,1%
8,5%
6,6%
2011 Unspecified
Laptops, smartphones
PC
Removable storage
Web
Hard copy
Backup storage
Other
22,5%
9,6%
15,0%
6,0%
6,7% 6,3%
22,3%
8,6%
3,0%
2012
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
15
course, the situation is far from ideal. Furthermore, e-mail is still the most tempting channel for leaks due to its simplicity. It is possible that unpublished leaks are prevalent here, as the percentage of leaks via this channel is smaller than might have been imagined.
Over the last three years, InfoWatch has tirelessly explained the dangers involved in the loss of mobile media devices. Portable devices are lost and stolen in huge numbers, but it is almost impossible to survive without them in modern-day life. For that reason, technical and organizational measures to control such mobile devices and the information stored on them are a topical issue. Do not record secret information on a mobile media device unless doing so is absolutely necessary, and if you must record information, do it in an encrypted format. Observing these rules will make it possible to avoid a significant number of incidents in the BYOD era.
Now let us consider the extent to which intentional and accidental leaks differ on different types of media.
Fig. 10 Distribution of accidental and intentional leaks by channel, 2011
First and foremost, note the large number of unspecified leaks (source not established), which is understandable for intentional incidents.
The situation regarding backup data is lamentable. The large percentage (13.3%) of intentional leaks occurring via this channel suggests that information security teams do not pay sufficient attention to archived (backup) data. Unfortunately, few of the widely used backup systems have integrated encryption. Moreover, it can be easier to steal an archive disk than an 'operational' media device.
Another important channel is PCs and servers. In this case, we are increasingly seeing intentional leaks of information from permanent workstations or servers. However, as a rule, the issue is mostly related to the illegal actions of network administrators. Alongside
7,7%
17,0%
10,5%
8,8%
8,8%
9,9%
29,8%
4,0% 3,4%
Accidental Unspecified
Laptops, smartphones
PCs, servers
Removable storage
Web, Intranet
Hard copy
Backup storage
Other
36,7%
2,1% 17,2%
1,6% 3,3%
4,4%
17,9%
13,3%
3,5%
Intentional
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
16
accountants, systems administrators appear most frequently in news articles about intentional leaks. With (often) unlimited access to network resources, administrators abuse the trust of the companies that employ them for personal profit – selling personal data, slipping information to competitors, and so on.
As before, a high proportion of the information inadvertently leaked via e-mail (almost 10%) was 'accidentally' leaked via smartphones and laptops (loss of device – 17.0%) and removable storage (loss of flash drive – 8.8%).
A third of all accidental leaks involve hard copies. Modern DLP systems are able to check all documents sent to the printer and even confirm the presence in the office of the employee who created the printing task. However, once the document has been printed, it is extremely difficult to trace its onward distribution. As it is currently only possible to track the physical movement of paper media using organizational and legal methods, there is little hope in relying on technology in this case.
Conclusion:
The results of our analysis clearly demonstrate that DLP system developers are today facing a new challenge. The concept of a protected perimeter for organizations is, in effect, a thing of the past, since DLP systems must ensure the security of information both within the company's own infrastructure and beyond its boundaries. This means that it is essential to include within DLP systems technology that can identify and monitor information belonging to a company, including out on the global network.
Leaks by Region
The distribution of leaks by region this year did not reveal anything unexpected. The US leads in terms of both numbers of incidents (576, or 61.7% of all leaks) and number of leaks per capita. In the second place is Great Britain (97 incidents, or 10.3% of total incidents). Russia is in the third place (75 incidents, or 8.3% of total incidents). This is not the first time that Russia has been at the top of the list. Canada was in third place last year, but the year before that, 2010, the 'bronze medal' for leaks was awarded to Russia.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
17
Number of reported leaks per 1 million people
Fig. 11 Leak distribution by country, 2012.
Countries are listed by the number of leaks per million people (LPM).
0,00 1,00 2,00 3,00 4,00 5,00 6,00
Sweden
Ukraine
Greece
Denmark
Singapore
Norway
The Netherlands
Armenia
Lithuania
Namibia
Russia
Australia
Canada
Switzerland
Israel
Latvia
Great Britain
Ireland
USA
Estonia
New Zealand
LPC
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
18
Number of reported leaks
Fig. 12 Leak distribution by country, 2012.
0 100 200 300 400 500 600 700
France
Latvia
Germany
Estonia
South Korea
The Netherlands
Ukraine
Japan
Switzerland
Israe
India
Ireland
China
Australia
New Zealand
Canada
Russia
Great Britain
USA
Number of Leaks
Number of Leaks
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
19
Typical data leaks in 2012 USA. Gibson General Hospital notifies 29,000 patients after laptop stolen from an employee’s home Gibson General Hospital has mailed letters to 29,000 patients informing them that their name, address, Social Security number and/or clinical information may have been on a laptop stolen from an employee’s home on November 27. Unfortunately, as the hospital explains in its statement and FAQ, the hospital cannot determine with any certainty whose data were on the laptop. As a result, the hospital sent letters to all patients who received care at the hospital since January 2007. India. Document leak case: CBI arrests retired Wing Commander CBI has arrested a retired Wing Commander of Indian Air Force for his alleged involvement in leaking confidential documents, which were later provided by estranged associate of arms dealer Abhishek Verma to the agency. CBI sources said the retired official of IAF Koka Rao was taken into custody in connection with leaking the documents related to the force. The documents include acquisition plans for next five years for the Indian Air Force and some of them relate to acquisition of unmanned aerial vehicles and related system besides infrastructure developed by the IAF. Greece. Man arrested over theft of 9 million Greek files A Greek man has been arrested on suspicion of having stolen 9 million personal data files in what is believed to be the biggest breach of private information the country has ever seen. Police said Tuesday that the 35-year-old, whose name was not released, was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses. USA. Info for 55,000 patients and employees stolen from Cancer Care Group in Indianapolis after computer bag with group’s backup left in employee’s car Information on 55,000 patients and employees at an Indianapolis-based cancer center practice is missing. A spokesman for Cancer Care Group, 6100 W. 96th St., confirmed that someone stole a computer bag belonging to a Cancer Care Group employee on July 19. The bag contained the “Cancer Care Group’s computer server’s back-up media, which contained some patient demographic information, such as name, address, date of birth, Social Security number, medical record number, insurance information, and/or minimal clinical information used for billing purposes only,” the group said. The bag also reportedly contained similar information about the group’s employees. USA. Former Florida Hospital Celebration employee sold 760,000 patients’ records The FBI has arrested a former employee of Florida Hospital Celebration, charging him with accessing 760,000 emergency department records over two years and selling them, WFTV in Orlando reports. The bureau alleges that Dale Munroe, who registered patients in the emergency department, primarily accessed records of patients who were in an automobile accident
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
20
from several hospitals across the state, and sold the records to someone who sold them to chiropractors and attorneys. Patients usually got a solicitation call within a week. The scheme unraveled when one of the calls went to a hospital employee who knew the records were to be private, WFTV reports.
USA. Wisconsin tax collector mistakenly publishes 110,000 tax ID numbers
The Wisconsin Department of Revenue admitted to mistakenly publishing the tax ID
numbers – social security numbers or federal employee ID numbers – of 110,000 people
and businesses that sold property in the state in 2011. The information was imbedded in an annual real estate sales report that was posted on the department’s website. The report contained 110,795 tax ID numbers, either social security numbers or federal employer ID numbers, of the first seller listed on a real estate property. UK. Doorstep lender Shopacheck fined £150,000 for data loss A doorstep lending firm has been fined £150,000 for losing tapes containing the personal details of 510,000 customers. The back-up tapes, which have never been recovered, contained details of loans to customers of Welcome Financial Services Ltd's Shopacheck business. They also held bank account details and CV information for 20,000 people who worked at the firm from 2002 to 2010. The tapes included information relating to nearly two million customers, although personal details only related to about a quarter of those. Both tapes were not encrypted. USA. Bethpage Federal Credit Union details data breach Bethpage Federal Credit Union on informed personal information of 86,000 consumer VISA debit card accounts had been exposed on the Internet. The company said an employee on May 3 posted data on a file transfer protocol site that the employee believed to be secure. But Bethpage Federal later found the data could be accessed through search engines. It removed the data one month later once it became aware of the breach and sent out emails informing those affected.
UK. Data Loss Incident in UK Reveals Hazards of Storing Data on Tape The Cattles Group, a financial services concern in Great Britain, recently announced that it has “misplaced” the personal information of nearly 800,000 of its customers. The data was kept on tapes, which recently disappeared from the firm’s corporate offices in Birstall, West Yorkshire, which is approximately 256 kilometers (160 miles) from London. The incident reveals the hazards and limitations of relying on physical media as the sole means of storing sensitive information. The lost information includes the names, addresses, dates of birth, phone numbers and email addresses of 600,000 customers, as well as the names and addresses of 200,000 others.
InfoWatch Analytical Labs Global Data Leakages & Insider Threats
Report, 2012
21
Conclusion
In 2012, InfoWatch recorded 934 confidential information leaks that were officially reported in the media. This is 16% higher than the figure for the previous year.
For many incidents it is not possible to determine whether the leak was intentional or accidental, and thus it becomes harder to define the intent behind the theft of data. It is significant that the proportion of leaks in which it was not possible to determine the intent has remained practically unchanged at 16%.
The proportion of leaks from educational and non-commercial organizations has leveled out, which essentially confirms the peak of accidental incidents in 2011 (last year, we suggested that the increased number of leaks from the educational sector was primarily due to accidental leaks). In commercial organizations, there has been a reduction in the proportion of accidental leaks, which confirms the previously stated theory that the share of accidental leaks is impacted by rate of penetration of DLP systems. However, the proportion of intentional leaks in these organizations is still just as high. This is directly connected to potential for obtaining profit from the theft and distribution of confidential information. Here, organizational, judicial and even legislative measures are just as important as technical measures.
As before, the majority of leaks – 89.4% – concerned personal data. One of the ways to combat the intentional theft of personal details is by making the sale of this information more difficult. This can only be done through legislation. The second accessible option is to fundamentally increase the sanctions for the improper handling of data in combination with a consistent government policy on this issue.
Among the most common channels through which information is leaked, paper documents account for more incidents than any other. As before, backup storage media, personal computers and network storage are popular among those with malicious intent. It is noteworthy that, among the channels that are popularly used to intentionally leak information, mobile devices were responsible for a smaller proportion (above all, this is linked to the fact that it is impossible to say for sure in each case whether we are dealing with an information leak or an ordinary theft). It is also interesting that those with malicious intent almost never use e-mail to release information. This is explained by the well-established accountability procedures put in place by information security teams for this channel.
The ambiguity over the treatment of any one event as intentional or accidental leads to the conclusion that there is significant overlap in the nature of the two types of leak. As a result, it is essential that we now consider moving to universal technologies to detect leaks and monitor information flows. It is clear that content-oriented information security systems must be equally effective in working with data inside the organization (storing, handling, transferring within the company) and beyond its boundaries, on the global network.
