Study Finds Minimal Transparency in Breach Reports

Tuesday, July 17, 2012



A report form the Identity Theft Resource Center (ITRC) found that of the more than two-hundred reported data breaches studied, nearly two-thirds did not include any attribution information as to the cause of the exposure.

"The Identity Theft Resource Center recorded 213 breaches for the first six months of 2012, with an astonishing 63.4% of them having no reported attributes. This represents a doubling in the number of data breaches which did not have any type of attributes identified for the incident, giving the public little or no insight into what happened. This trend makes it obvious that with few exceptions, there is minimal transparency when it comes to reporting breaches," the ITRC stated in a, press release.

ITRC has been tracking breaches and classifying their causes under several attribution categories since 2005, including insider theft, hacking, data on the move, accidental web/Internet exposure, subcontractor, and the recently added employee error/negligence.

"This is good information for the public to know, both for understanding trends in breach exploits, and to understand what the probable consequences of a particular breach might be for those affected," ITRC conveyed.

The organization acknowledges the role of the media and a handful of watchdog groups in providing important information regarding the possible repercussions stemming from a breach of consumer data, but according to their analysis there still seems to be little transparency in the the information released by the companies compromised.

"Other than breaches reported by the media and a few progressive state websites, there continues to be little or no information available on many data breach events. The public has no way of knowing just how minor or serious the data exposure was for any given incident," ITRC states.

ITRC suggests that the problem could be remedied by standardized mandatory disclosure regulations that would require organizations who suffer a breach of consumer data to be upfront about the information exposed and the causes of the event.

"It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported, and it would appear that the situation is growing worse... Any efforts to accurately quantify the actual number of breaches and resulting number of compromised records are stymied in the absence of mandatory reporting on a national level," ITRC insists.

Other key finding in the ITRC Breach Report include:

  • Paper breaches for the first half of 2012 account for nearly 15% of known breaches, down from 17.7% for the same period in 2011.  These types of breaches typically go unnoticed until a consumer reports the problem to local media, as most paper breaches are not required to be reported.  If you want to really understand the threat of these low-tech breaches, contact the US Postal Inspection Service and ask if they consider mail theft a serious problem.
  • Breaches in the medical/healthcare industry are on pace to hit an 8 year high, and currently represent 27% of the total breach incidents reported so far in 2012.  This number is a drastic increase over the 17% reported for the same period in 2011 and exceeds the previous high of 24% for calendar year 2010.
  • The banking industry continues to show improvement as that category currently represents only 4% of the total breaches reported on the ITRC Breach List.  This is down significantly from the 8% reported during the first half of 2011, and represents an 8 year low should it continue.
  • Breaches involving third parties, or subcontractors, doubled over the same period last year, with 14% of identified data breach incidents reporting third party involvement.  These events make the case that although your company may have taken adequate measures to protect information, the contractor you hire may not be as careful.
  • Malicious attacks involving “hacking”  continue to represent an ever increasing growth, with 30.5% of the breaches so far this year identifying hacking as the root cause, up from the 27.7% reported for the same period in 2011. If this rate increase continues, 2012 will be on pace to have another record high year in this category.   Insider theft, which is also identified as a malicious attack, was down in the first half of 2012, 7.5% compared to 17.3% for the same period in 2011.  This could indicate that companies are getting better with internal controls and vetting of employees.  When combined, these categories represent nearly 40% of all reported breaches.
  • Breaches involving “Data on the move”  are being recorded at an all-time low.  To date, only 7.5% of the breaches in 2012 have been identified in this category.  This represents a tremendous drop from the 15.6% reported in the first half of 2011.  Hopefully, this indicates a new awareness of companies and employees about the data carried on laptops and mobile devices.  “Accidental” causes are identified in 11.7% of the breach incidents reported; up somewhat from the 9.1% reported during the first half of 2011.  The newly identified employee error/negligence category is identified in 6.1% of the breach incidents reported.
  • 44.4% of publicly reported breaches indicated the number of records exposed, totaling 8.5 million records.  It should be noted that the ITRC Breach Report does not include breach records due to exposure of non-sensitive information, such as email account records in its total number of records.  These 8.5 million records are all related to exposure of sensitive Personal Identifying Information (PII) or other sensitive account information. As such, breach incidents which involve passwords, user names and email addresses may be included on the list but the number of records exposed is not counted as part of the annual total record exposure.  So the records that are totaled consist of those that might contain Social Security numbers, credit/debit credit numbers, financial account numbers or other pieces of information such as driver’s license numbers or medical insurance numbers.
  • 96 breaches (45.1%) reported in the first half of 2012 included the exposure of Social Security Numbers.  This is a significant drop from the 64.5% of the breaches which exposed SSNs during the first half of 2011.
  • 41 breaches (19.2%) involved credit or debit cards, dropping considerably from the 34.6% of the breaches involving credit/debit cards in the same time period during 2011.


Possibly Related Articles:
breaches Disclosure Headlines report Personally Identifiable Information ITRC Mandatory Reporting Consumers Identity Theft Resource Center
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.