data theft restrospective
TRANSCRIPT
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
DATA THEFT RETROSPECTIVE
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
INTRODUCTION
Workers turned "cyber moles" and crime syndicates
armed with malicious software are looting digital data
from businesses as losses reportedly topped a trillion
dollars in 2008. California computer security firm
McAfee presented the findings in January 2009 at the
World Economic Forum in Davos, Switzerland, with a
warning that the world's dismal financial straits are
exacerbating data theft woes.
"This report is a wake-up call because the current
economic crisis is poised to create a global meltdown in vital information." Insights for the first-ever
worldwide study "on the security of information economies" were gathered from more than 800 chief
information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States. The
companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last
year, and spent approximately 600 million dollars repairing damage from data breaches.
"Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene
Spafford, a US university computer science professor who is executive director of The Center for
Education and Research in Information Assurance and Security (CERIAS). "Just like gold, diamonds or
crude oil, intellectual property is a form of currency that is traded internationally, and can have serious
economic impact if it is stolen."
Pressure on firms to cut costs is resulting in weakened computer security measures, making them more
tempting targets for information thieves. Thirty-nine percent of the CIOs in the study said they believe vital
company information is more vulnerable because of current economic conditions.
There has been an increase in "cyber mafia gangs" breaking into corporate databases. "Cybercriminals
are increasingly targeting executives using sophisticated phishing techniques," the study states.
"Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords,
account numbers, or other sensitive information. Such attacks customized to harpoon specific powerful
executives are often referred to as "whaling."
The dour economy also raises the chances of companies being looted by employees out to supplement
shrinking paychecks or improve job prospects with future employers. "An increasing number of financially
challenged employees are using their corporate data access to steal vital information. As the global
recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing
valuable corporate data to make themselves more valuable in the job market." The study also pinpointed
China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors.
The following report focuses on data breaches/thefts/losses in the UK, US and Australia with compelling
facts, figures and examples included. Most of organizations are quite reluctant to release information
regarding their Data Loss, Theft and Breaches or are unaware of it when it does occur. But what is clear
and outlined from the information that is publicly available, the scare of the problem is both large and
growing.
Key Points
� Organized and opportunistic
data losses of $1 Trillion
� Increase internal & external
threats of data
� IP losses of $4.6B in 2008
� $600M to repair data
breeches
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
DATA THEFT - 2008 WAS A GREAT YEAR GLOBALLY
2008 shows that it was not a good year for data protection, data loss and data theft. It was also a bad year for those charged with looking after our data. The ITRC (Identity Theft Resource Center), a US nonprofit and respected organization dedicated exclusively to the understanding and prevention of identity theft has completed a detailed study into data breaches in 2008. The organization has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help individual to protect data and assist companies in their activities. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of data breaches and in particular identity theft.
Their report, (http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf), not
unsurprisingly, showed a sharp increase in the amount of data theft in 2008. With almost a 50% rise in “reported” data thefts/breaches, solely in the US from 446 in 2007 to 656 in 2008.
It was also reported to the ITRC that in the UK 35 million data records were lost or stolen and that “insider data theft” increased to 16% (almost double the 2007 figure). Sadly only a fraction of the
records (2.4%) were encrypted, which is a tragedy, as it is simple way to protect the data.
Let us have a closer look at the UK, the US and Australia.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
THE UK-DATA LOSS IN 2008
2008 is the the year the public began to really hear about data loss; with numerous example of data loss throughout the year, and reports into data loss. The reports where pretty damning, and the scale of data loss was staggering, 100,000s of records lost regularly and the HMRC (Her Majesty's Revenue and Customs Ministry) losing data at around 10 items a day. Despite the huge amount of data lost in the UK, and reports from data loss elsewhere in the world, the UK government did not manage to effectively introduce policies to prevent it.
1. GOVERNMENT
HMRC (Her Majesty's Revenue and Customs): A report by Kieran Poynter into the loss of 25 million records in 2007 by the HMRC states that “serious institutional deficiencies” and states that there losses were “entirely avoidable”. Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people
NHS (National Health Service):
• 9 NHS trust admit losing millions of records, 4 out of 5 NHS trusts lose medical records
• List of NHS losses produced by the Freedom of Information Act (it’s a long article!)
• 66,000 medical records lost (including names, home addresses, phone numbers and a
description of the disabilities of 45,000 people, including children and pensioners) • The NHS also moved a lot of records out to other company with 300 million medical records
moved out of the NHS and the patients data being shared with council
MoJ (Ministry of Justice) and Home Office
• MoJ lost 4 CDs containing criminal case information; the CDs were un-encrypted, giving people access to highly confidential material.
• Ministry of Justice lose 5,000 records
• Home Office lose 84,000 prisoner records
• UK Government lost 3 million driving license records, on an un-encrypted hard drive
MoD (Ministry of Defense): The MoD lost almost as much data as the NHS, with a sample of the data loss highlighted below.
• The MoD lose 600,000 records, on an un-encrypted laptop • MoD admit losing 650 laptops
• RAF lose 50,000 records
• Army lose 1.5 million records
DWP: The Department for Work and Pensions lose USB Drive and Foreign Office: FCO admits losing
10,000s of records.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
Individuals within the government: A couple of high profile individuals lost data as well as all of the departments listed above. Hazel Blears, former Communities Secretary lost her laptop, which was un-encrypted, and “Critical Terror Files”, where left on a train.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
PRIVATE SECTOR
Below is an outline of data theft statistics posted on December 28, 2008 from different resources. Despite the variety of resources, they all say the same thing: Data theft is common, it happens regularly, and everyone knows it is going on.
HSBC: HSBC did not have a good year for data loss:
• HSBC lost an entire server, the data was not encrypted
• HSBC lose 37,000 records, on an un-encrypted media.
• HSBC, along with UAE and others also suffered a data theft from their banks
Virgin: Virgin Media were censored by the ICO following their data loss
2008 Finjan Report (Finjan is a leading provider of secure web gateway solutions for the enterprise market). According to their Web Security Survey of July 2008, almost all participating organizations perceive cybercrime as a major business risk, including loss of customers, brand name damage and potential lawsuits. The survey also found that the majority of the CIOs and CSOs are more concerned about data-stealing malware entering their networks than about downtime and loss of productivity due to virus infections. In the survey, we asked organizations to answer questions about web security and cybercrime. Data theft is seen as a far greater problem than loss of productivity due to virus infections. Due to the sophistication of today’s cybercriminals and cybercrime attacks, 33% of the respondents were convinced that their organization had never been breached by malware, while 25% reported that they had been breached, with an overwhelming 42% of respondents who were not sure or could not exclude a possibility of a breach.
Total survey respondents amounted to 1,387 responses, 54% of which have direct involvement in IT/Security. Of this group, 21% IT personnel, 16% Security Consultants, 11% IT/Security Directors and Managers and 6% CIOs/CSOs. The two largest industry sectors represented are banking 15% and Government 14%.
91%
73%
68%
54%
47%
73%
25%
42%
0% 20% 40% 60% 80% 100%
Cybercrime as a major business
risk
Concerned about data theft
IP and sensitive information at
risk of data-theft
Worried about loss of employee
data
Customer information at risk
(Financial sector)
Healthcare patients medical
records as potential target
Data breach reported
Breach Possibility
Extract from 2008 Finjan Report
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
2. SME SECTOR
Small to medium sized businesses (SMEs) are failing to acknowledge and prevent data theft, new research shows.
A study, conducted by security software firm Prefix IT, sought the views of 1000 UK workers and found that half of SME managers say preventing data theft is not ‘even on the radar', with 29 percent of all other managers saying the issue is not recognised at board level. The report also revealed that workers leaving the company posed the biggest threat to security, with 65 percent admitting considering taking data, such as sales leads, database information, business contacts and sensitive documents, and nearly two thirds admitting to past stealing. This number rose to nearly three quarters of those surveyed in the 45-54 age group. Overall 36 per cent revealed they might download company data to help in a new job. However, only 7 per cent of managers surveyed believe their organization has been affected by data theft. But, nearly a third of managers said that defending against data theft is a ‘key priority for the business'. This number dropped to 22 per cent for small SMEs (51-250 workers) and 28 per cent for medium-sized SMEs (251-500 employees). Graeme Pitts-Drake, CEO of Prefix IT, said: "Whilst trust in staff is laudable, it is professionally negligent not to protect company assets appropriately through policy and technical means. Failing to communicate with staff about unacceptable activities is tantamount to endorsing theft." According to Pitts-Drake, despite the limited resources available to SMEs, this is something they should be concerned about. "Whether it is a large or small organization, data theft is a massive problem," he said.
"It is happening but managers don't realise it is happening - they are burying their heads in the sand.
Smaller businesses have more of a family mentality and a culture of trust, but data theft is going on
around them and they should be very worried," he added.
In an earlier study, conducted in September, 78 per cent of the workforce surveyed said they owned a personal device capable of downloading and storing data. Moreover, it found that 30 per cent of workers believe company information is rightfully theirs to take.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
THE US – DATA BREACHES IN 2008
ITRC sources (http://www.idtheftcenter.org/)
Information management is critically important to all
of us - as employees and consumers. For that
reason, the Identity Theft Resource Center has been
tracking security breaches since 2005, looking for
patterns, new trends and any information that may
better help us protect data and assist companies in
their activities.
The ITRC breach list is a compilation of data
breaches confirmed by various media sources
and/or notification lists from state governmental
agencies.
This list is updated daily, and published each Monday. To qualify, breaches must include personal
identifying information that could lead to identity theft, especially the loss of Social Security numbers.
ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique
individual, and the exposure of which will constitute a data breach.
There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis.
The ITRC Breach Report presents individual information about data exposure events and running totals
for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity
involved in the data exposure. Breaches are broken down into five categories, as follows: business,
financial/credit, educational, governmental/military and health care. Other more detailed reports are
generated throughout the year and posted on a quarterly basis.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a
number of categories. What they all have in common is that they usually contain personal identifying
information in a format easily read by thieves, in other words, not encrypted.
The ITRC tracks five categories of data loss methods:
• Data on the Move
• Accidental Exposure
• Insider Theft
• Subcontractors
• Hacking
Key Points
� Reports of data breaches in the U.S. rose
almost 50% in 2008
� Only 2.4% of all breaches involved data
where encryption or other strong
protective measures were in place � Only 8.5% involved password protection...
Malware attacks, hacking � Insider theft accounted for nearly 30% of
breaches
� Insider theft more than doubled between
2007 and 2008
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the
development of the criteria used when assessing breaches and the integrity of its sources. For example,
breaches that occurred in any given year or a previous year are included in the year in which the breach
was publicized. Each selected incident is required to have been published by a credible media source,
such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is
real and credible. Larger breaches often have multiple attributions, and we usually cite more than one
source. As an authority on data breach exposures, the ITRC is frequently asked if there are more security
breaches now than ever before. This question is hard to answer. More companies are revealing that they
have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the
criminal population is stealing more data from companies, and data breaches are being more frequently
publicized.
US Security Breaches 2008
Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008
breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over
last year’s total of 446.
In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within
the five groups that ITRC monitors. The financial, banking and credit industries have remained the most
proactive groups in terms of data protection over all three years. The Government/Military category has
dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.
According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in
use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached
data was unprotected by either encryption or even passwords.
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider
theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some
cases affected dozens of companies. It is important to note that the number of breaches reported does
not reflect the number of companies affected.
The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists
from state governmental agencies. ITRC uses several websites to help search for verifiable breaches,
such as www.databreaches.net (aka Pogowasright), privacy.net, and www.datalossdb.org. To qualify
breaches must include personal identifying information that could lead to identity theft, especially the loss
of Social Security numbers.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
The report by ID Analytics states that those who have had their data stolen deliberately, e.g by theft from an employee with access to the data, are 12 times more likely to be victims of fraud than those who have their data lost by accident (e.g missing laptop). This, while not surprising, is a figure worth knowing when managing security risks.
According to Privacy Rights Clearinghouse: More than 244 million pieces of data have been lost or stolen in 2008 up to November.
According to the Identify Theft Centre there have been 449 separate incidents of data breaches, in the US, in the first 9 months of 2008. This is more than the whole of 2007. The ITC 2008 Reports that over 40% of the incidents of data breaches/data theft the number of records lost or exposed are not reported or fully disclosed.
Data Theft/Data Breaches – by industry:
Data Theft/Data Breaches – by cause:
Business /
Commerce
37%
Educational
20%
Healthcare /
Medical
16%
Government
/ Military
15%
Banking /
Finance
12%
Hacking /
External
14%
Lost Laptop
/ Media
23%
Theft by
employee
18%
Accidental
16%
Sub
contractor
11%
Other
18%
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
AUSTRALIA – 2008 DATA BREACHES
(Source SC Magazine Aug 11, 2009)
� Two in three Australian organizations experienced a serious data breach in
the last twelve months, according to a survey by the Ponemon Institute.
The Institute, commissioned by data encryption company PGP, paid 482 IT security professionals in
Australia to answer questions around the protection of their data.
Some 69 percent of respondents said they experienced at least one data breach in the last 12
months, up from 56 percent in 2008. One in four of those companies that experienced a data
breach suffered five or more breaches in the 12 months, up 22 percent on 2008.
Of those organizations that did admit to losing data, 65 percent chose not to inform the public - a figure
the report's authors said was "sure to add to the demand for Australia to adopt data breach notification
laws similar to those in the United States."
The Federal Government has spent the last few months reviewing privacy laws, the first draft of which
was due to be released to the public within a week. But no timeline has been set for the introduction of
mandatory data disclosure laws, as recommended by the Australian Law Reform Commission and
the Office of the Privacy Commissioner.
In the interim, the Office of the Privacy Commissioner has produced a voluntary guide to managing
data breaches. The survey also revealed some interesting data on what motivates organizations to
protect their data. Of those organizations that use data encryption technology to protect against the leak
of confidential data, only 15 percent said they did so for regulatory reasons (citing the Federal Privacy
Act, National Privacy Principles and PCI DSS requirements) whereas 70 per cent used encryption to
protect their brand and reputation.
� Mandatory data loss laws could curb security breaches
More than half of Australasian SMEs claim to have experienced security breaches. Releasing
Symantec's 2009 Global Small and Mid-sized Business (SMB) Security and Storage survey in Australia
and New Zealand today, executives for the security vendor said security breaches included instances
where information has been subject to unauthorized access, often where the data is lost, stolen, or
hacked.
Steve Martin, SMB director at Symantec told iTnews that, by contrast, only 29 per cent of companies in
the US and 27 per cent of SMBs in Canada experienced breaches.
"There are a couple of reasons for those differences," he said.
"Some of these companies don't have their own IT staff therefore they don't have the knowledge or skills
to keep their security up-to-date.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
"Also, companies in the US are governed by data mandatory disclosure law, which is in place in several
states across the country."
Martin said the law required an organization to inform their customers of any loss of their personal
information. The law gave organizations a myopic view on IT security and forced organizations to invest
in the right protection.
However in Australia there are no such mandatory disclosures and therefore data protection isn't in the
forefront of an SMB's mind.
"The current privacy laws in this region were written 23 years ago by Justice Michael Kirby when there
was no Internet or mobile phone," he said. "The Australian Law Reform Commission is looking at some
three hundred changes to local privacy laws, which includes data disclosure. The proposed changes are
currently with Senator John Faulkner and there should be results by the end of this year, so organizations
can move forward."
Symantec 2009 Global SMB Security and Storage Survey drew responses from 1,425 small and medium
businesses in 17 countries with 100 responses from Australia (50) and New Zealand (50). The size of
companies of respondents ranged from 10 to 500 employees.
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
CONCLUSION
Data theft is a growing problem primarily perpetrated by office workers with access to technology such as
desktop computers and hand-held devices capable of storing digital information such as flash drives,
iPods and even digital cameras. Since employees often spend a considerable amount of time developing
contacts and confidential and copyrighted information for the company they work for they often feel they
have some right to the information and are inclined to copy and/or delete part of it when they leave the
company, or misuse it while they are still in employment.
While most organizations have implemented firewalls and intrusion-detection systems very few take into
account the threat from the average employee that copies proprietary data for personal gain or use by
another company. A common scenario is where a sales person makes a copy of the contact database for
use in their next job. Typically this is a clear violation of their terms of employment.
The damage caused by data theft can be considerable with today's ability to transmit very large files via
e-mail, web pages, USB devices, DVD storage and other hand-held devices. Removable media devices
are getting smaller with increased hard drive capacity, and activities such as podslurping are becoming
more and more common. It is now possible to store 80 GB of data on a device that will fit in an
employee's pocket, data that could contribute to the downfall of a business.
Is there an answer to data loss, theft and breaches?
As Mark Pullen of RSA has outlined in September 2008, best practices need to be in place by businesses
to avoid enterprise data loss, such as:
� Understand what data is most sensitive to the business.
� Know exactly where the most sensitive data resides.
� Understand the origin and nature of your risks:
• Do you have sensitive data in databases?
• If so, in which database tables, which columns or fields?
• Do you have sensitive data in file shares, which folders and files?
• Do you have high-risk data on laptops, whose laptops?
• Is your intellectual properly unwittingly exposed through custom-built applications?
• Are your unannounced company financial reports illicitly finding their way onto laptops,
PDAs, and USB drives?
� Select the appropriate controls based on policy, risk, and where sensitive data resides.
• Manage security centrally
• Audit security to constantly improve
SSI © copyright. All rights reserved. Passing on and copying of this document, use and
communication of its contents not permitted without written express authorization of SSI
or one of its affiliate company
S S I Security Software International
CONTACTS
REFERENCES
� www.idtheftcenter.org
� www.Myidscore.com
� www.finjan.com
� www.cerias.purdue.edu
� www.datalossdb.org
� www.databreaches.net
� www.ponemon.org
� www.laptoptheft.org
� www.eweek.com
� www.techworld.com.au
� www.mcafee.com
� www.rsa.com
� www.crn.com.au
� www.ironkey.com
SSI Pacific Australia
Level 27, 101 Collins Street
Melbourne, VIC
Tel: + (61) 3 9 653 9163
Fax: + (61) 3 9 653 9307
SSI Pacific New Zealand
Level 16, Vodafone on the
Quay
157 Lambton Quay,
Wellington 6140
New Zealand
Tel: + (64) 4 460 5263
Fax: + (64) 4 460 5252
SSI Pacific Hong Kong
Levels 25 & 30, Bank of
China Tower
1 Garden Road, CENTRAL
Hong Kong, China
Tel: +852 (2251) 8795
Fax: +852 (2251) 1618