The Leaking Vault

Suzanne Widup, MSIA graduated with honors from the MSIA program at Norwich University in 2007.  She has significant experience in workplace investigation, digital forensics, e-discovery and litigation support.  Her background includes 16 years of security and Unix system administration, technical support, and software development.

She has put together a data breach study (The Leaking Vault – Five Years of Data Breaches) recently, released in July 2010 by the Digital Forensics Association.  This study takes a look not only at the number of records exposed by breaches, but also the frequency of incidents, breach vectors, geography, organizational and data types, relationships between data subjects and the organizations, how the data subject victims were treated by the disclosing organizations, and finally, cost estimates are provided with the findings.  Very impressive study, taking a multi-perspective view of data breaches and their impacts, and a great article at NetworkWorld.  Below are some of her key findings about how many breaches there were and how most of them happened.

  • Information on the number of records lost provides the scope of the incident and how many people it affected.  The study covers 2,807 publicly disclosed breach incidents, with over 721.9 million records disclosed.  To put this in perspective, organizations lost an average of 388,342 records every day for five years.
  • The leading vector for number of data breach incidents is the laptop computer.  Missing laptops were stolen 95% of the time as opposed to being lost.  In the end, the organization has lost control over the data, and the potential is there for disclosure. 
  • The laptop vector averaged 71,749 records lost per incident. 
  • Mitigation considerations should include encrypting the data, or preventing confidential data from leaving the organization on a portable device.
  • For number of records disclosed, the hacking vector led by a wide margin, being responsible for 327 million records, but accounted for only 16% of the incidents.
  • The hacking vector averaged records lost per hacking incident 716,925. 
  • When looking at mitigation for the hacking vector, consider perimeter defenses, and also detective controls.  Preventing an incident is the best case scenario, but given the risk, timely detection and containment are essential to reducing the damage to the organization.

Pay close attention to the Conclusions And Recommendations section.  There is some good high level advice there for businesses of all sizes, regarding end-to-end data lifecycles, awareness programs, passwords, 3rd party audits, and incident response plans.

Source article: NetworkWorld