New Report: Data Breaches up 47% in 2008; Insiders Blamed

Researcher: 'If I Were a Financial Institution, I'd be Nervous'
New Report: Data Breaches up 47% in 2008; Insiders Blamed
Reported data breaches increased by nearly half in 2008, and 12 percent of the total hacks were at financial institutions - up from 7 percent in 2007.

This is the news from the Identity Theft Resource Center's (ITRC) 2008 breach report, which shows that 2008's 656 reported breaches were up 47 percent over 2007's total of 446. Seventy-eight of the breaches were at financial services companies. And the ITRC says breaches will continue expanding until more companies start taking data protection seriously.

The two most prevalent types of methods used to remove data from financial services companies are external hacking and insiders, according to Jay Foley, Executive Director at ITRC. "The most recent CSI report shows that 70 percent of hacking has been from the inside, meaning a trusted insider did it," Foley says. "If I were a financial institution, I'd be nervous."

Other data-loss methods tracked include data on the move, accidental exposure and subcontractors.

The ITRC monitors reports from five groups: business, education, government/military, health/medical and financial/credit. Over the three years the ITRC has compiled this report, the financial, banking and credit industries have remained the most proactive groups in terms of data protection.

Report Card for Banking Institutions

But despite having the best record among the five groups, financial institutions still suffer a great deal of loss. Missing laptops and backup tapes stand out as some of the more glaring areas for data loss. In looking at the entire number of breaches, only 2.4 percent of all breaches had encryption or other strong protection methods in use, and only 8.5 percent of reported breaches had minimal password protection.

"That leaves the rest that were unprotected," Foley notes. "Encryption is an extremely positive tool." If one bank encrypts its information, and the bank next door doesn't, he asks, "Where do you think the hacker will go to get data?" An additional point Foley makes is that most backup tapes or cartridges must be read on equipment that is expensive and not easily attainable to the average hacker. "If I was a bank and one of my non-encrypted backup tapes went missing, I wouldn't worry too much. An unencrypted laptop goes missing, that's a whole different matter," he says.

Foley recommends making the rewards for using encryption higher than penalties for not using it. One type of reward would be if encrypted data is stolen, an institution would not have to report it except to law enforcement and regulators. "The fact is, encryption is incredibly strong, and unless a hacker is spending a great deal of time and effort to break it, it won't be breached," he adds, cautioning that no data can be 100 percent protected.

Reputations at Risk

The financial services industry is doing three times better than businesses in protecting data, says Foley, though the industry is not immune to the trends that continue to pervade the other four groups.

Foley sees the tides are turning, with laws such as the FACTA ID Theft Red Flags rule, and companies will begin to face lawsuits because of improper data protection. "In the coming years we're going to see more and more lawyers stepping up to say 'Company X, you didn't have proper procedures in place to protect customer data,'" he predicts.

The other side pressuring change will be the consumers who have heard "for the last eight to 10 years that they need to protect their personal information. Most consumers' data is spread everywhere from the doctor's office to a mortgage loan application to an application for utility service. "A consumer at best only controls 15 percent of their personal information," Foley says. "Companies and other entities hold the other 85 percent." These companies and financial institutions need to be ready to answer the hard questions from John Q. Public when they ask "How are you protecting my data?"

Recommendations

Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:

Minimize personnel with access to personal identifying information;
Require all mobile data storage devices that contain identifying information to encrypt sensitive data;
Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport;
When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper;
Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed;
Verify that your server and/or any PC with sensitive information are secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates;
Train employees on safe information handling until it becomes second nature.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.