Trying To Determine Actual Numbers of Privacy Breaches Since 1980; An Exercise in Futility?

Today a press release caught my eye, “Hackers get bum rap for corporate America’s digital delinquency.”
Hmm…sounds interesting. Let’s see what is behind this nicely-hooking title.

According to Philip N. Howard, assistant professor in the Communication Department at the University of Washington the compromise of what he projects to be 2 billion individuals’ personally identifiable information (PII) records within the U.S. by the end of this year is primarily the fault of business organizations, and not overwhelmingly the fault of hackers.
Yes, organizations are responsible for securing the PII they possess, and they need to implement an effective information security program to reduce risk as much as is reasonable. However, you can never have 100% security; every organization has unknown vulnerabilities that even the best risk assessment cannot reveal.
He based his research on “a review of breached-record incidents as reported in major U.S. news media from 1980 to 2006.”
Well, my skepticism of how accurate his findings are going to be just increased again. Until California SB 1386 very, very few breaches were reported. He even acknowledges this within the report.
Howard is also a little behind on the numbers of current state level breach notice laws; he indicates there are “more than 20,” which is true, but significantly less than the at least 35 state breach notice laws for which I’m aware.
Even so, I know many of the privacy breaches still do not reach the news media. I know of at least 4 breaches in the last part of 2006, that were appropriately reported to the individuals impacted, that were not publicized.
Part of the press report for the report states:

“Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.
Likely as a result of California’s law and similar legislation adopted by other states, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).
The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.
A single 2003 incident involving 1.6 billion records held by Acxiom, an Arkansas-based company that stores personal, financial and corporate data, dwarfs all others. In that case, the offender controlled a company that did business with Acxiom and had permission to access some files on Acxiom’s servers. But he illegally hacked into other records and then tried to conceal the theft, prosecutors charged.
A much different picture emerges, however, when the past quarter century is viewed in terms of the number of reported incidents. Three out of five point to organizational malfeasance of some variety, including missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online, Howard and Erickson found.
Thanks to the mandatory reporting process established by California, “We’ve actually been able to get a much better snapshot of the spectrum of privacy violations,” Howard said. “And the surprising part is how much of those violations are organizationally prompted — they’re not about lone wolf hackers doing their thing with malicious intent.”
While corporate America would prefer to let “market forces” — factors such as negative publicity and expenses generated by data loss — take care of the problem the authors aren’t convinced that would make for an effective strategy, especially with identity theft listed as the fastest-growing crime in the United States. Based on recent history, it looks as though states are more apt to fill the regulatory void than the federal government, Howard said.
Another noteworthy trend, he said, is what’s happening in the education sector, which accounted for nearly a third of reported breaches. This could be explained, Howard and Erickson said, by the fact that colleges and universities “have an organizational culture geared towards information sharing.””

Yes, it is true that the insider threat is significant and a huge amount of incidents and resulting privacy breaches occur through not only malicious insiders, but also through insider mistakes, lack of controls, and lack of knowledge.
What worries me about this press release is his statement, “And the surprising part is how much of those violations are organizationally prompted — they’re not about lone wolf hackers doing their thing with malicious intent.”
It reads as though he is dismissing the bad things outsiders try to do to get their hands on PII. What about phishing schemes used against corporate personnel? The report says it did not take these types of attacks into consideration. What about spyware? What about P2P exploits? What about keyloggers? What about the Choicepoint incident, which impacted 163,000 individuals as a result of malicious outsiders, criminals who wanted to get the PII for identity theft purposes? What about…so many others?
I want to see the full report to see what it actually says. Perhaps it provides some clarification.
It did not take me long to find a pre-publication draft of the report on the World Information Access Project site.
Okay, now I’m looking at Table 1. Right away it is looks as though they are basing their conclusions upon vastly incomplete data. They are rolling so many 0’s into their interpretation, 0’s meaning that either no incidents of PII compromise occurred, as well as 0’s that mean no incidents were reported. Just because no incidents were reported in the 1980’s, 1990’s and early 2000’s does not mean no privacy incidents occurred.
So if a tree falls in the forest it does not make a sound? Sounds like the same logic.
Table 2 is also interesting in that it shows hacking to be a significant percentage of breach causes throughout the entire study review period, and the summary shows that 91% of the cumulative breached PII records throughout the years were attributed to hacking. But yet their headline for the press release indicated that hackers were getting a bum rap?
Let’s read on…
Yes, organizations are, and should be responsible, for protecting the PII they possess. However, that does not diminish the many different threats hackers also present to PII in the care of organizations.
As I’m reading through this it seems as though the authors have no experience or background as information security practitioners. There is little mention or consideration of the fact that in 1980 data was primarily processed and stored in highly centralized mainframes, but that over the years new technologies have created more mobile computers and more mobile data, putting it at risk in more ways than ever before. Those risks are only going to continue to increase as technology continues it’s forward march. Yes, they do acknowledge the technology changes, but it just does not read as being significant within the report.
The report references legal obscenity, indecency, piracy and gambling cases as part of this report when talking about the legal issues of privacy breaches. This seems oddly out of place with the premise of the report findings, even if they are trying to use these cases as a way to show that laws lag behind technology.
It is interesting the report points out that the USA PATRIOT Act strengthened the Computer Fraud and Abuse Act by making it more broadly applicable to computer crimes and increasing the penalties, and how it did not seem to prevent incidents, but the report did not discuss the associated risks to privacy that the USA PATRIOT Act created through the increased surveillance and PII gathering that occurs…data which is then subject to the same breaches risks they are writing about.
Another problem with the report is just with the concept of “hacker.” It seems they are basing their description of a hacker upon a referenced text that is 10 years old…and a description of hackers that is even older. That term has definitely changed over the years. And it is still quite subjective. The authors of this report are talking about hackers largely in the original sense of someone who is just curious and wants to learn how a system works and does not really want to do harm. However, a problem with trying to do this is that for the past several years the news media, corporate leaders and most vendors have used the term to mean someone who is malicious and wants to commit crime and mayhem with corporate data. Trying to turn back the clock on the terminology may be a noble academic effort, but it does not translate well to the business leaders who will read the headlines and tell their information security department that they shouldn’t worry so much about putting resources toward preventing hackers…information security practitioners have enough trouble getting resources the way it is without having to deal with one more misconception taking away their already meager budgets.
A weakness in this analysis and resulting conclusions is that the data being analyzed is only that which has been reported. The report does acknowledge this:

“Over the decade, journalists would not have discovered all incidents, and even though current California law requires that a person whose data had been compromised be so informed, such a breach is not necessarily noted in news archives.”

But I do not believe from the way the report reads that the authors are taking into account how significant the numbers of breaches are that occur but are never reported. And another consideration I did not see accounted for are the numbers of breaches that are never even discovered. Keep in mind that a large number of privacy breaches are not even known to organizations until someone from outside of the organization, most commonly a customer, has notified the organization to let them know that there is unusual activity going on with credit card accounts. Skilled malicious hackers knows how to cover their tracks so that they can continue their crime without being caught for as long as possible.
The report also concedes:

“Consequently, ‚Äúphishing‚Äù or spoofing scams where victims are deceived into volunteering their own personal information are not included in our analysis.”

That is too bad, because often times these schemes also exploit in tandem the network upon which the user, many times from their employer’s network, is responding.
I am sorry, I am rambling…
All in all I believe the goal of this report was noble and well intended. There are some good pieces of information contained within the report. But I think it is important for information security and privacy practitioners to read it in its entirety and not depend upon the press release that contains the most sensational interpretations of the study.
I really like seeing the results of studies and learning from the interpretations. However, in this case the data used to base conclusions upon are incomplete and cannot be depended upon to truly determine with confidence that hackers are not a significant source of privacy breaches.
As Thoreau said, “we do not know what we do not know.”
And it is certainly applicable to determining the true preponderance of PII breaches. There is not consistent data collected for privacy breaches.
Organizations do not collectively all follow the same definitions of breaches to be able to accurately determine the true number of breaches. Most organizations do not even know if they have even been breached.
Trying to put an accurate number, or even range, on the true number of actual PII breaches is a moving target.
I enjoyed reading this report, but my fear is that business executives, CEOs, CIOs and so on, will read the press release and decide that they do not need as many defenses for outside threats.
The bottom line is still the same; organizations need to determine the threats and vulnerabilities applicable for their own unique environments, from both the inside and outside, for all their locations, and establish the controls and safeguards to reduce those resulting risks to an appropriate level for their business.

Tags: , , , , , , , , ,

Leave a Reply