Tuesday, July 01, 2008

Data Theft Grows 68 Percent in 2008

Linda Foley at the Identity Theft Resource Center made an ominous announcement that data breaches were at an all time high. According to research conducted by the group, the number of data breaches has grown 68 percent in 2008 versus the same time period in 2007.

The current study acknowledges that some breaches are under reported and multiple breaches are sometimes reported as a single event. The breach at BNY Mellon and SunGard data were cited as an example of a single event affecting multiple businesses.

The report shows an increase in data breaches at businesses, financial institutions and health/medical institutions. Interestingly enough, breaches that involved the government/military and educational institutions showed a decrease.

Breaches are becoming more technology based, also. Electronic data breaches accounted for 80.7 percent of the total versus 19.3 percent, which were considered paper breaches.

I suspect that the increased activity at businesses and financial institutions is because the goal is to steal financial instruments that already have a cash value associated with them. As the general public has become more aware of the issues surrounding identity theft, opening fraudulent accounts with other people's information is becoming more difficult. More people are reviewing their credit and placing alerts/freezes on their individual reports, either by doing it themselves or paying a service to do it for them. When accounts are stolen that already have disposable spending power or (cash) on them, identity theft protection is unlikely to stop them from being compromised.

Because of the increased awareness, more fraudsters take over accounts instead of trying to open new ones. Most of the current identity theft protection methods being used will not stop this from happening.

So far as the statistic that electronic theft is becoming more prevalent than paper theft, perhaps shredding documents is making stealing paper harder? Of course, it might also mean that the methods to steal information electronically have become more advanced, also. Crimeware kits of the DIY (do-it-yourself) variety have spread this ability to people, who lack the technical skills to do it by themselves. There is a lot of evidence that these kits aren't too hard to purchase over the Internet and that sometimes they even come with technical support.

ID Analytics partnered with the study and added statistical information showing that 39 percent of data exposures were caused by missing or stolen devices in 2007. Their statistics also show that malicious intent in data breaches is a growing trend. Malicious intent categories include insider theft and access into account information by external methods (hacking).

A new trend, not specifically mentioned in the report, is large caches of stolen information being discovered that no one knew about before. Yesterday, Dark Reading announced that SecureWorks found one of these caches. Finjan has recently reported finding pretty much the same thing located on what they refer to as "crimeservers" on the Internet. The announcement by SecureWorks reported that hackers are using a trojan, called "Coreflood" also known as "AFCore."

SecureWorks reported that this trojan has gone undetected for a number of years and has compromised corporations, government agencies, healthcare agencies and "others." In this attack, one work station would be compromised and the hacker would wait for an administrator to log on. Once the administrator logged on to the infected work station, the hacker would then use the administrator's privileges to infect entire systems. This "hack" is being used to grab user names, passwords and even entire pages of information. Please note (my speculation) that this type of exploit is probably being used to steal more than financial information, also.

Given the fact that SecureWorks mentions government sites being hacked in this manner, there is no telling what the intent might be or who the information is being sold to (my speculation).

To the best of my knowledge, neither SecureWorks or Finjan have disclosed exactly who has been compromised or the exact details of the information to the general public.

This should lead the average person to believe that the problem of data breaches is far greater than anyone knows. The ITRC study explains why this is a problem when compiling any study on this subject.

Besides the ITRC, there are a lot of dedicated people gathering statistical information on data breaches. While they can only track information on the known occurrences, these people do a lot to educate the rest of us and raise the awareness level of what is becoming a growing problem.

The report gives credit to PogoWasRight, Attrition.org, breachblog.com, the Maryland and New Hampshire Attorney General breach notification lists and other sources that were used to compile this report.

The ITRC is a non profit organization designed to help businesses and people protect themselves from this clear and present danger to all of us. If you are interested in this problem, their site is a good place to educate yourself.

No comments: