Data Breaches Rose Sharply In 2008

snydeq writes "According to the Identity Theft Resource Center, more than 35 million data records were breached in the US in 2008. Tracking media reports and disclosures companies are required to make by law, the ITRC noted a 47 percent increase in breaches last year at a range of well-known US companies and government entities. The majority of the lost data was neither encrypted nor protected by a password. A third of the breaches occurred at business entities. One in six breaches were attributed to insider theft, a figure that more than doubled between 2007 and 2008, ITRC said."

Frist post.

Frist post.

spiritual bankruptcy atalltime high

that leads to A LOT of felonious behaviours. better days ahead.

greed, fear & ego (in any order) are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of yOUR dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children. not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. we now have some choices. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

we note that yahoo deletes some of its' (relevant) stories sooner than others. maybe they're short of disk space, or something?
http://news.yahoo.com/s/ap/20081112/ap_on_re_as/as_nepal_buddha_boy;_ylt=A0wNdN1I6RpJfGoBfhWs0NUE
http://news.yahoo.com/s/ap/20081106/ap_on_go_ca_st_pe/meltdown_who_pays;_ylt=A2KIR3MR9hJJ3YkAGhms0NUE
http://news.yahoo.com/s/ap/20081114/ap_on_re_us/obama_catholics;_ylt=A0wNdOs0AR1Jam0AfE2s0NUE
http://www.cnn.com/2008/TECH/science/09/23/what.matters.thirst/index.html
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
(deleted)http://news.yahoo.com/s/ap/20080918/ap_on_re_us/tent_cities;_ylt=A0wNcyS6yNJIZBoBSxKs0NUE
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.cnn.com/2008/TECH/science/09/28/what.matters.meltdown/index.html#cnnSTCText
http://www.cnn.com/2008/SHOWBIZ/books/10/07/atwood.debt/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
(deleted, still in google cache)http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE
http://news.yahoo.com/s/afp/20081107/ts_alt_afp/environmentclimatewarmingatlantic_081107145344
(deleted)http://news.yahoo.com/s/nm/20080903/ts_nm/environment_arctic_dc;_ylt=A0wNcwhhcb5It3EBoy2s0NUE
(talk about cowardlly race fixing/bad theater/fiction?) http://money.cnn.com/2008/09/19/news/economy/sec_short_selling/index.htm?cnn=yes
http://us.lrd.yahoo.com/_ylt=ApTbxRfLnscxaGGuCocWlwq7YWsA/SIG=11qicue6l/**http%3A//biz.yahoo.com/ap/081006/meltdown_kashkari.html
http://www.nytimes.com/2008/10/04/opinion/04sat1.html?_r=1&oref=slogin
(the teaching of hate as a way of 'life' synonymous with failed dictatorships) http://news.yahoo.com/s/ap/20081004/ap_on_re_us/newspapers_islam_dvd;_ylt=A0wNcwWdfudITHkACAus0NUE
(some yoga & yogurt makes killing/getting killed less stressful) http://news.yahoo.com/s/ap/20081007/ap_on_re_us/warrior_mind;_ylt=A0wNcw9iXutIPkMBwzGs0NUE
(the old bait & switch...your share of the resulting 'product' is a fairytail nightmare?)
http://news.yahoo.com/s/ap/20081011/ap_on_bi_ge/where_s_the_money;_ylt=A0wNcwJGwvFIZAQAE6ms0NUE

it's time to get real now. A LOT of energy/resource has been squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gainin

And expected to rise

[truthsearch]

With increased layoffs and economic hardships I would expect these numbers to go up again this year. On top of the individual motivations for just attempting it, it's unlikely corporations or governments are going to drastically increase security spending this year.

Re:And expected to rise

[Thaelon]

Rarely should security have to do with spending. Sure, you'll plunk down a chunk of change for a fast firewall to sit between you and the intarwebs, but it's all pretty moot if your employees don't know any better and get password phished, or use Outlook Express and pounce on every cool sound attachment with wanton double clickery.

In the IT world it's about being smart and educating your users more than anything else. And that just takes one competent IT guy and some face time with the rest of your people.

Re:And expected to rise

[truthsearch]

Corporate training costs far more than one IT guy and a little face time. There's materials, conference rooms, continued support, etc. One IT guy would get very tired talking to tens of thousands of people, so a few would be required. Then every employee must commit at least a few hours, which drops productivity. And I'm sure the IT guys would want to implement some related systems, like testing for weak passwords.

Re:And expected to rise

[againjj]

Question everything

Why?

Getting there

[LordAndrewSama]

more than 35 million data records were breached in the U.S. in 2008.


Pfft, nowhere near the UK yet, keep trying...
Hint: leave the laptop on a train. ;)

Re:Getting there

[gallwapa]

Pfft, silly UK people. Everyone know's the US doesn't have mass transit

(hehehehehehehe)

Repeatative.

[XPeter]

Too many stories like this have been popping up on Slashdot lately, and they all have the same answer.

Bad economy means money's tight. Some people can't find a way to make ends meet so they turn to crime.

Wait, what?

[girlintraining]

Pardon me for saying, but insider theft in every business aspect has dominated the charts -- over 80% in most cases. Most case studies I've seen in computer security point to this as the overriding concern in setting up corporate networks and systems. And now comes along a report saying that this has been turned on its head and the reverse is true?

I smell a rat, and looking at the name on the report, I think I might have found the cheese too.

Re:Wait, what?

[cbiltcliffe]

I haven't read the full article yet, but it could be that insider breaches account for 20% of breaches, and 80% of records breached. Since insiders would have access to much more information, that wouldn't surprise me at all.

Also in question is the definition of "insider breach." Is an employee leaving a laptop on a train an insider breach, or not? Is an employee accidentally posting personal information on a public web server an insider breach, or not? It's not malicious by the insider, but it's certainly caused by the insider.

Besides, if you look at http://www.privacyrights.org/ar/ChronDataBreaches.htm, you won't see a lot of insiders, but you will see some insider breaches with huge record totals.

Silly Stats

Or, there has been an increase in the reporting of data breaches, since data breaches started to become newsworthy. Previously, we did not care.

Re:Silly Stats

[Zerth]

That would be a symptom of LIH, Legally Induced Honesty.

"We accidently emailed your information to Indonesia! There, we said it. You can't fault us, we were honest about it!"

Business Is Just Following The Biggest Breacher

a.k.a. the world's most dangerous person

I hope this helps the lawsuits against the world's largest crime syndicate run by this thug.

Cordially,
Kilgore Trout

Invited

"The data was neither encrypted nor protected by a password" - doesn't that that mean it was expected to be breached?

Data suspenders

data breeches rose sharply because aging computer scientists have been shortening their suspenders recently. Around these parts we wear our belts OVER our bellies stranger!

35 million data records stolen ..

[rs232]

"According to the Identity Theft Resource Center, more than 35 million data records were breached in the U.S. in 2008"

Do any of these breaches have anything to do with the underlying Operating System ?

Re:35 million data records stolen ..

[KovaaK]

I kind of doubt it would make that big of a difference. There will always be a weak point in security, and most of the time, the human factor is the weakest. Stupid people will be stupid people.

Re:35 million data records stolen ..

[nschubach]

I don't know... from what I read, Windows 2008 adoption is "unusually" high...

http://4sysops.com/archives/windows-server-2008-adoption-is-better-than-vistas/

http://www.microsoft.com/presspass/features/2007/jun07/06-05WinServer08.mspx

http://news.zdnet.co.uk/software/0,1000000121,39359154,00.htm

I don't know if you can draw a correlation from that though. ;)

A call to global humanity!

How long will we allow Italian electro-fascism to pollute the internet? What is needed is a bold plan: a new anti-Napoleonic treaty of Westphalia to eliminate the nefarious Italian hacker scourge from the Internet and from the increasingly wild and uncontrolled sex-cult atmosphere of Congress. Who is with me?

Harsher Consequences?

[kudokatz]

This is just more evidence of what is already widely known: people are generally lax about security matters. What we really need is some way of getting the point across that things like reasonable passwords are turning into a necessity of every-day life.

Both the twitter and Palin e-mail "hackers" just guessed passwords or researched PII to get in. This also shows we definitely need some better form of authentication, and that authorization policies inside organizations should be more paranoid. Of course I'm still lost as to alternatives to passwords, so perhaps people will just have to suck it up and put a bit of effort into it.

There are always the trade-offs between effort and the value of what one is protecting. If the public finds these data breaches unacceptable, why not make the consequences more serious so that from a business standpoint it is more worthwhile to spend on security? This may lead to corporations developing an atmosphere of security awareness, which will keep people actively thinking about important steps to take in typical day-to-day activities.

Re:Harsher Consequences?

[Sparton]

Of course I'm still lost as to alternatives to passwords, so perhaps people will just have to suck it up and put a bit of effort into it.

Yeah, I'd go with that one, personally. It's not difficult to make sets of passwords that you can easily remember that wouldn't be straight from a dictionary or something equally inane and stupid.

Re:Harsher Consequences?

[KovaaK]

Secure passwords would be nice, but people probably aren't going to go through the trouble.

I like the concept of locking an account after X failures to log in, but I always see stupid implementations of the idea. Most of the time, it's some value of X that is likely to annoy people who legitimately forgot their password and are going through their likely suspects. 5 times seems somewhat low for obscure sites you don't visit often, and I remember my girlfriend trying to log onto an important work related account where 1 failed attempt would lock the account for 24 (!) hours.

I could understand locking an account after like 20 tries or 5 tries in 1 second to try to prevent brute force attacks... or some tiered system where the more often you fail to input the correct password, the longer it will lock you out. Are there sites that implement this without warning of such a system?

Re:Harsher Consequences?

[jggimi]

Passwords are generally considered to be poor authentication methods, when used alone. Strong or weak, password authentication can be attacked by brute force or by social engineering. Post-it Notes (TM) stuck to monitors are not even necessary. :) ------------ The generally accepted commercial practice for remote authentication is two use two methods to authenticate: something you have, and something you know. Example: your bank card (have) and it's passcode (know). Other "Have" examples: electronic token, public key, biometric Other "Know" examples: passcode, password, passphrase

Re:Harsher Consequences?

[Sparton]

The generally accepted commercial practice for remote authentication is two use two methods to authenticate: something you have, and something you know.

Nothing is going to be impossible to crack. The extra step of "something you have" just means it's one more thing to forge for anyone who wishes to compromise your [whatever].

Obviously a password can be brute forced and so forth, but the generally accepted "8+ characters, upper- and lowercase and numbers" works for most people and most situations.

Re:Harsher Consequences?

[jggimi]

I don't disagree regarding impossibility. Several of my employers over the years have chosen to use electronic tokens as the "something you have" precisely because their ever-changing values synced to a token server make them more difficult to forge. For my own servers, I eliminate password authentication wherever possible and use either public key authentication, or S/Key one-time-passphrase-pads when PKA is impractical.

Systems that accept password authentication need to prevent brute force attack, through state table management, programmatic log management, or other means of stopping brute force attacks before they succeed. An 8-byte random ASCII password on an http or ssh server that permits unlimited attempts and reconnects can be broken by a script kiddie in a weekend, without much effort.

Re:Harsher Consequences?

[El_Oscuro]

Perhaps something like This?

Re:Harsher Consequences?

[jggimi]

Yes, something like that.

REPORTED breaches

[Gothmolly]

An increase in REPORTED breaches. There is less stigma on it these days, and more scrutiny.

s/siders/dians/

[Hognoxious]

Are outsourced workers counted as insiders?

Re:s/siders/dians/

[Tanktalus]

I'm sure this was modded Flamebait by someone assuming that Hognoxious is obnoxiously racist. And s/he might be. But, as in police work, you only hamper yourself if you're unwilling to look at culture ("Gah! Not profiling!") or other pigeonholing to narrow down your search.

Personally, from what I know about the Indian culture, I'd be surprised if they were the source of statistically significant amounts of data breaches. But the concept of looking at recent changes to the corporate world to see what has changed is completely valid, and not flamebait at all.

It's also like how airport security tearing apart an old lady's luggage looking for weapons of terror is a waste of resources, when it's far more economical (more likely to find what you're looking for) to tear apart the luggage of someone from countries known to support terror. Or to tear apart luggage of people coming in from known drug countries when looking for drugs. You need to carefully weigh the likelihoods, and spend your time and resource first in the likely places before the unlikely.

So, I think that Hognoxious has a valid point. We need to examine recent changes to the corporate world to figure out what this new statistic means. Does it mean, as many have already said, that we're just reporting better (seems likely to me)? Does it also mean that outsourced workers are selling our data? This seems like a reasonable myth to investigate to determine if outsourced workers are more, less, or similarly likely to sell insider data to the black market, so that we can better focus our efforts on reducing breaches. But it should be based on thorough investigation, and not on knee-jerk calls of racism.

Re:s/siders/dians/

[cbiltcliffe]

Flamebait? Crack smoking mods.

It's certainly inflammatory, but it's a perfectly legitimate question, if you ask me.

Lots of data from these US companies is heading overseas to countries which have little, if any, privacy protection legislation. What they do have is routinely ignored due to regional financial needs, payoffs to law enforcement, and other corruption.

So the question still stands: Are outsourced workers counted as insiders for data breach purposes?

FP MaRE.

From a technical to 6et some eye

what is a breach of security and what is not?

[Benjamin_Wright]

Most all data in commercial and government systems are "exposed" or "compromised" to one degree or another virtually all the time. So it is not surprising that as we focus more attention on breaches, we discover an ever-growing number of breaches. Under the presenting thinking, the growth will never stop. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a meaningful security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. Ben

Rising Breaches?

I lowered my breaches and had to pay someone to take my genetic data.

Re:Rising Breaches?

I suspect that it was you who received the genetic data.

How did you know ...

my password?

Using production for test data?

[peterofoz]

Most companies I've work in secure production systems ok, but I often find unobfuscated subsets of production data in test or dev. IMHO this is laziness on the part of QA in data preparation.

Data to obfuscate should include at least:

• Date of Birth
• SSN
• Credit Card numbers
• Policy or Account numbers
• (HIPAA has a list of PHI data)

The challenge is where a protected value is used as a key into other systems and records have to agree in order to test systems.

Solution? Don't use protected data as keys?

Any other ideas?

Prime Example

I'm sure this was modded Flamebait by someone assuming that Hognoxious is obnoxiously racist
The title he selected reveals a deeply depraved individual who likely was downsized, as a result of his job moving to India, a very profitable move that saved his company quite a bit of money.

Also, they don't have to put up with his racist tendencies anymore, so they are the real winners when he left.

But what he didn't tell you was that when he left that company, he took a bunch of records from them and sold them to the competition.

Data Breaches and Thefts - a Solution?

[johnfranks999]

I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture â" and people arenâ(TM)t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities â" read the book BEFORE you suffer a breach.

Data Breaches went up?

[Tired+and+Emotional]

I expect people are carrying more data. Miniaturization should permit you to carry all the data you need in hip-hugging data breaches in the near future.

Good for Data.

[master_p]

At least he got a girlfriend. His emotion chip works well.

Reported Breaches

[thecyberpunk]

There are a few issues with comparing reported breaches. More laws have required the disclosure of breachs which is going to exaggerated the increase. At the same time the total number of actual breaches and records is still likely much higher than what is currently reported.