2010 Security Incidents

We can learn a few things from the 2010 security incidents reported by the Identity Theft Resource Center. First, it’s a roller coaster when comparing the 2010 numbers to prior years’ security incident statistics. Second, we may not have a complete count of all incidents, because there is no central repository of breach incidents and there is no law requiring companies to report their security incidents detailing compromised personal information to a national database accessible by the public. Most 2010 security incidents as any other year are gathered from news media, Federal and/or State agencies and other similar sources. The 2010 security incidents included 662 cases which were 33 % higher than the 498 reported incidents in 2009. In contrast, 2009 saw a reduction of 24 % in reported incidents over the 657 security incidents reported in 2008 but these numbers were quickly recovered in reported 2010 security incidents. The 2007 security incidents included 446 cases which go to show that security incidents jumped each year except for in 2009 in which year the numbers decreased for unknown reasons.

From a percentage increase standpoint, 2008 was the worst year while 2010 has the highest number of security incidents when compared to 2009, 2008 and 2007.

Impact of Security Incidents

There are a few critical points to extract from the various statistics we receive from various sources. First, the number of compromised personal data is not correlated to the number of security incidents. Just a handful of security breaches can lead to the majority of compromised personal records. For example, the National Archive and Records Administration (NARA) and Heartland cases contributed the highest number of lost private information in a single year. Hartland which is a large payment processor had its system penetrated by hackers from the outside of the company to steal 130 million credit and debit numbers with a malicious software. On the other hand, NARA exposed the personal information of 76 million service men by sending a hard drive containing millions of data to its contractor without encryption, masking or scrambling of information considering that 1) contractors are responsible for many of the security incident cases, and 2) unencrypted personal information leads to the highest number of compromised personal records due to the increasing storage capabilities of mobile devices and computers.

Major Breach Causes

Although malicious efforts such as the combination of network attacks and insider theft take the lead for security incidents, accidental data loss and privacy exposure closely follow behind to place public information at risk of identity theft and fraud. Paper breaches still account for 20% of all 2010 security incidents while they accounted for 26% of all breaches in 2009. This information still confirms that our information protection efforts must not be solely focused on information technology risks as a strategy to combat identity theft and privacy disclosure.

Breach Solutions

Although I’m sure that companies have improved the controls for securing their systems and networks from external intrusion, I still believe that most companies are not doing enough for encrypting all personal information on all devices. More specifically, monitoring insider activities on the networks are not adequate and companies lack sufficient controls for protecting paper documents. Another area of concern is the monitoring of contractors when their services require access to a company’s personal information of customers or employees. Companies must not blindly transfer the protection responsibilities of their assets including the personal information of their customers to third parties. They must require the same protection measures from their service providers as they would apply to their own envronments because they will assume the consequences of their service providers’ wrong doing leading to security incidents and mass public information privacy breaches.

Mandatory Reporting

The Department of Health and Human Services (HHS) started mandatory reporting of medical data breaches starting in 2010. However, the reported list to the public does not provide sufficient information to know what specific personal records are placed at risk such as names and Social Security Numbers. Also not all States require mandatory breach reporting to individuals who might be affected whether they live in that State or elsewhere.

Return to workplace information protection page after reading about the 2010 security incidents.