According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011. That’s an increase of incidences by over 37.4% and of records by 370% compared to 2010. According to research conducted by the Ponemon Institute in 2010, the average cost of a data breach was roughly $209 per comprised record. That brings the price tag for 2011 of over $26 billion. The following is an analysis of the incidents:
Types of Breaches
Hacking – deliberately breaking into computers – became the most common means of breach last year.
The security division of data storage firm EMC was hit by a hack that compromised their popular SecurID cryptographic keys, forcing them to offer replacements to their clients. The stolen information was later used in an attack on defense giant Lockheed Martin. RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities”. In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
- Texas Comptroller
A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees. No hacking was necessary to access this server.
In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions. Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network. The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effect are they likely have on the online services industry?
- SK Communications
A complex attack on the Internet company netted the personal information of 35 million South Korean users. That’s in a country of 50 million people.
A few of the defense contractor’s backup tapes were stolen out of an employee’s car. The tapes contained the medical records of more than 5 million military patients.
- Sutter Medical Foundation
A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses. This incident brought on a class action suit, alleging negligence in securing data.
Incidents by Business Type
Cybersecurity was one of the top buzzwords for 2011 as commercial organizations increasingly found themselves up against advanced and persistent attacks to the degree previously seen only in military organizations. Information security has moved up in the agendas of most corporations and other businesses, but government too is placing increasing emphasis on the topic, backing national cybersecurity efforts with dedicated budgets.
Incidents by Offending Party
While more and more companies are becoming aware of the problem, few have taken action. As the above analysis demonstrates, the need to take action has never been so persuasive.
To learn how to protect your organization, download our complimentary Executive Guide to Data Security.