Yesterday (9/1) the AARP announced a new report they commissioned, "Into the Breach: Security Breaches and Identity Theft." They provided links to the full report, but unfortunately they do not work!
The press release sounds interesting, though. A few of the excerpts:
"A new report from the AARP Public Policy Institute (PPI) states that from January of 2005 through May of 2006, 89.8 million Americans were potentially exposed to identity theft as a result of security breaches involving sensitive personal information. As security breaches at high profile institutions have made the public aware of the seriousness of this problem and more concerned about the safety of their personal information, PPI has analyzed the kinds of institutions most often experienced by security breaches and also the most common ways used to gain sensitive personal information.
The report, "Into the Breach: Security Breaches and Identity Theft," closely examined 244 publicly disclosed security breaches that took place from January 1, 2005 through May 26, 2006. It found that educational institutions were more than twice as likely to report a breach as healthcare organizations, financial services companies, corporations, and government agencies.
The report found that 40 percent of the publicly disclosed security breach incidents were caused by hackers or insider access specifically targeting sensitive personal information. Breaches caused by hackers or insider access put the personal information of 50 million individuals (making up 56 percent of all breach victims) at risk of identity theft."
"The report notes that of all the ways used to improperly gain or display personal information, 30% are the result of breaches from the inside."
I wish I could see the full report! I always like to see what they pick out of the full report to put into the press release.
Something interesting is the finding of the tendency for educational institutions to be more likely to report a breach as opposed to other types of industries. Considering all the other industry specific data protection laws for such industries as the financial and healthcare, and even more considering that there are at least 33 state level breach notification laws, many of which apply to all types of organizations. Of course, the study looked back from January 1, 2005, and most of the state level notification laws have gone into effect after that date by several months or even over a year later.
I found one of the statements a little confusing though; 40% of incidents were "caused by hackers or insider access specifically targeting sensitive personal information." Insiders with authorized access are a very different type of threat than hackers from the outside. It would have been good to break those two demographics apart. However, probably the gist of this statement is that the personal information was specifically targetted. A June 2005 New York Times article reports criminals can get paid $100 for each individual’s personal information. When you look at how many thousands, and even millions, of individuals’ data are often on stolen computers and within compromised databases that amount of crime profit is quite significant. Certainly motivation to target such information.
30% of the incidents occurring from the inside is not surprising; actually a little low from what I’d expect. However, even though the inside threat is nothing new, these types of studies and help to validate the insider threat to business leaders and demonstrate the need for strong information security controls and procedures not only just for preventing access into the network, but also within the network perimeter and for everyone using the network.
The AARP report is timely considering the theme of Global Security Week is identity theft; this is a report you can use and reference within your awareness messages. In fact, one of the activities going on next week in Texas is a series of presentations to customers at different locations of a grocery store chain by Melissa Guenther . This particular chain reportedly has a very large percentage of retired folks who are customers, so using this study should resonate with them.
Technorati Tags
information security
IT compliance
policies and procedures
AARP
insider threat
identity theft
Global Security Week
awareness and training
privacy