New Report: Data Breaches up 47% in 2008; Insiders BlamedResearcher: 'If I Were a Financial Institution, I'd be Nervous'
This is the news from the Identity Theft Resource Center's (ITRC) 2008 breach report, which shows that 2008's 656 reported breaches were up 47 percent over 2007's total of 446. Seventy-eight of the breaches were at financial services companies. And the ITRC says breaches will continue expanding until more companies start taking data protection seriously.
The two most prevalent types of methods used to remove data from financial services companies are external hacking and insiders, according to Jay Foley, Executive Director at ITRC. "The most recent CSI report shows that 70 percent of hacking has been from the inside, meaning a trusted insider did it," Foley says. "If I were a financial institution, I'd be nervous."
Other data-loss methods tracked include data on the move, accidental exposure and subcontractors.
The ITRC monitors reports from five groups: business, education, government/military, health/medical and financial/credit. Over the three years the ITRC has compiled this report, the financial, banking and credit industries have remained the most proactive groups in terms of data protection.
Report Card for Banking Institutions
But despite having the best record among the five groups, financial institutions still suffer a great deal of loss. Missing laptops and backup tapes stand out as some of the more glaring areas for data loss. In looking at the entire number of breaches, only 2.4 percent of all breaches had encryption or other strong protection methods in use, and only 8.5 percent of reported breaches had minimal password protection.
"That leaves the rest that were unprotected," Foley notes. "Encryption is an extremely positive tool." If one bank encrypts its information, and the bank next door doesn't, he asks, "Where do you think the hacker will go to get data?" An additional point Foley makes is that most backup tapes or cartridges must be read on equipment that is expensive and not easily attainable to the average hacker. "If I was a bank and one of my non-encrypted backup tapes went missing, I wouldn't worry too much. An unencrypted laptop goes missing, that's a whole different matter," he says.
Foley recommends making the rewards for using encryption higher than penalties for not using it. One type of reward would be if encrypted data is stolen, an institution would not have to report it except to law enforcement and regulators. "The fact is, encryption is incredibly strong, and unless a hacker is spending a great deal of time and effort to break it, it won't be breached," he adds, cautioning that no data can be 100 percent protected.
Reputations at Risk
The financial services industry is doing three times better than businesses in protecting data, says Foley, though the industry is not immune to the trends that continue to pervade the other four groups.
Foley sees the tides are turning, with laws such as the FACTA ID Theft Red Flags rule, and companies will begin to face lawsuits because of improper data protection. "In the coming years we're going to see more and more lawyers stepping up to say 'Company X, you didn't have proper procedures in place to protect customer data,'" he predicts.
The other side pressuring change will be the consumers who have heard "for the last eight to 10 years that they need to protect their personal information. Most consumers' data is spread everywhere from the doctor's office to a mortgage loan application to an application for utility service. "A consumer at best only controls 15 percent of their personal information," Foley says. "Companies and other entities hold the other 85 percent." These companies and financial institutions need to be ready to answer the hard questions from John Q. Public when they ask "How are you protecting my data?"
Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to: