Computerworld - By my count, over half a billion records of personal information have been exposed or mishandled in the past eight years. And these are only from breaches where a record count has been publicly revealed.
That's more than the population of the European Union, and more than the number of people living in the U.S., Canada, Mexico and all of Central America and the Caribbean combined.
My count of 530 million is more than double the 244 million records cited on Privacyrights.org. So how did I arrive at that figure?
There are a number of Web sites where you can find information about data breaches, including Computerworld's privacy page, Attrition.org, the Identity Theft Resource Center, blogs, government agencies and privacy newsletters such as the International Association of Privacy Professionals' "Daily Dashboard". For my summer project this year, I tabulated the data from all of these sources. I added them to files I'd been keeping since 2000, which included data on breaches stretching back to 1995. An intern, Emily Prather, Googled the Fortune 500 companies for news of breaches that didn't make these lists. Add to these several dozen notification letters received by friends and family, and we tallied about 1,500 breaches.
What does the data say about the information risks facing your organization?
The biggest surprise to me was the sources of breaches. Many people within the information security profession refer to the insider threat as the primary source of risk, routinely saying that 75% of breaches are the work of employees.
This isn't exactly what breached companies are telling the press, though. The biggest line item we found was hackers, at 20% of all breaches. For their part, dishonest insiders garnered 3% of the blame. It's possible that a good number of the stolen laptops (19%) and other computers (8%) were taken by employees, but the cases we reviewed appeared mostly to be random criminal acts.
If you add up all of the mistakes employees make — such as losing laptops and backup tapes, improperly disposing of documents, inadvertently sending e-mails and packages, and misconfiguring Web sites — the employee category amounts to 39%.
A whopping 11% of publicized breaches were the result of an errors traceable to vendors.
Have these root causes changed over time? Many of us in the privacy profession know that organized crime is thriving in the stolen-information business and growing in sophistication each year. And maybe they're getting away with it more often. The share of intentional privacy breaches has fallen from 74% in 2005 to 55% this year. Conversely, unintentional data exposures rose from 25% to 40% over the same period, with unspecified causes accounting for the remainder.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
