Reports examine causes, victims of data breaches

On Wednesday, Verizon Business released a four-year study concluding that 9 out of 10 corporate data breaches could have been prevented, had appropriate security measures been taken. The Verizon report includes the results of more than 500 forensic investigations, including three of the largest data breaches ever reported.

Meanwhile, the Identity Theft Resource Center released its 2007 report on identity theft, offering comparisons to data it's collected over the last five years.

Verizon found that 73 percent of the data breaches were the result of outside sources, with only 18 percent from insider threats. Of the outside sources, 39 percent were attributed to business partners. Third parties, not victimized organizations, discovered 75 percent of the breaches.

Attack methods vary around the world, Verizon found. Attacks from Asia, China and Vietnam in particular, often involve application exploits. Attacks from the Middle East involve site defacements. And attacks from Eastern Europe and Russia involve point-of-sale compromises.

The ITRC report looks at the other side: the impact of identity fraud on its victims. In 2007, 57 percent of stolen information was used to open a new line of credit, while 13 percent was used to order cable and or other utility services.

Eighty-two percent of the victims learned of the theft through creditors or collection agencies, up from 76 percent a year ago. Only 10 percent found out through proactive measures, with 8 percent identifying something on their credit reports.

More disturbing, 62 percent of the respondents to the ITRC survey reported that thieves had committed crimes, such that warrants were issued in the victim's name.

[Lerianis]

The biggest problem with identity theft online or offline is that some people are stupid: leaving their personal information out in the open where anyone can get to it.
There is also the bigger problem in our society of using our Social Security numbers as 'catch-all personal identification numbers'.

[BenjaminWright]

Robert: Legally speaking, what is "reasonable security?" FTC fined TJX for not having it, but I disagree. Verizon says 9 of 10 data breaches could have been avoided if reasonable security were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates whether reasonable security could have prevented a break-in, it does so with the benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the shere problem of keeping up with the location of data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

[christophercnd]

LOL - so it took Verizon 4-years to discover that hindsight shows you
how to protect yourself? Man - I want *that* dudes job!!!

It's quite bothering though - what's with the 10% who, even with
hindsight, couldn't have fixed the problem?

And what about the "Application Exploit" attacks? He knows how to\
can figure out what an "appropriate security measure" is to
protect me against a buffer overflow mistake that nobody knows about
yet?? Why doesn't he do something useful with his talent, like
buy lottery tickets. If I could see the future, I wouldn't waste my time
doing security reports!!!

Cool - not only does he get 4 years pay to fartarse around doing what
he likes, he even eventually spews forth drivel, and still nobody
seems to notice...

[johnfranks1234]

An excellent and timely article: It's amazing that breaches and thefts keep happening. There is something that is helping a lot of people, judging by the business blogs I?ve been reading. It?s a defined eCulture called "The Business-Technology Weave" - it helps to influence employee behaviour as regards security, use and integrity of data - as well as protection of hard assets (such as laptops). The book ?I.T. Wars? is the leading voice, and concentrates on the solution ? a proactive treatment and training of people, and reinforcements to their corresponding security awareness. This is particularly relevant: www.businessforum.com/DScott_02.html . Some good stuff here too: www.david-scott.net . We use his book at work - stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it.