16 August 2017
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

739Posts 2,010,042Views 62Comments

Data Breaches: The Insanity Continues

13 January 2010  |  3067 views  |  0

The Identity Theft Resource Center Breach Report also monitors how breaches occur.  This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches.  For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009.  This was a change from all previous years, where human error was higher than malicious attacks.  One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information.  For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insider Theft 16.9%
Hacking 19.5%
Data on the Move 15.7%
Accidental Exposure 11.8%
Subcontractor 7.2%

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.  With that in mind:

Insanity 1 – Electronic breaches:  After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information?  Proprietary information almost always seems to be well protected.  Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches:  Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII?  Do we dare ask that those laws be actually enforceable?  Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen:  Deal with it!  You will get notification letters.  Breach notification does not equal identity theft.  Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website.  This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach:  Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.”  If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?”  Some companies might say “no.”

Insanity 5 – Data on the Move:  You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years.  But, really!  This is 100% avoidable, either through use of encryption, or other safety measures.  Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.”  With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”

Protect your identity. Invest in identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Robert

What Was Scary About Blackhat 2017?

02 August 2017  |  5465 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6081 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  4782 views  |  0 comments | recomends Recommends 0 TagsSecurity

Getting Owned or Pwned SUCKS!

13 June 2017  |  5558 views  |  0 comments | recomends Recommends 0 TagsSecurity

Parents Beware of Finstagram

27 April 2017  |  5064 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
732 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan
Adedeji Olowe