Breaking Breach Secrecy, Part 3

The authors' analysis of data-breach statistics shows that organizations poorly protect personal data. Possible solution: U.S. federal rules for guidance in developing comprehensive data protection programs. 

There are data breaches and then there are data breaches. Hold on as we look at two enormous cases reported by the Privacy Rights Clearinghouse (PRCH) in its "Chronology of Data Breaches." Even though the number of records compromised in these two cases is atypical, it does illustrate the problems consumers face when their personal data is not protected by organizations that use it.

On Jan. 20, 2009, Visa and MasterCard alerted Heartland Payment Systems, a credit and debit card processor, of suspicious activity related to card transactions. After the company investigated, it found evidence of malicious software that compromised data on more than 130 million cards. The incident may have been the result of a global cyberfraud operation.

On June 16, 2005, hackers infiltrated the network of CardSystems — a third-party processor of payment card transactions — and exposed names, card numbers and card security codes of more than 40 million card accounts, including 68,000 Mastercard accounts, 100,000 Visa accounts and 30,000 accounts from other card brands. On Feb. 26, 2006, CardSystems agreed to settle charges with the Federal Trade Commission that it failed to have in place the proper security measures to protect sensitive personal information. CardSystems notified affected consumers and offered them one year of credit monitoring services.

Data breaches that lead to identity theft have affected the lives of individual consumers, businesses, nonprofit organizations and governments at all levels throughout the world, especially in the past decade. Security companies are constantly working to develop better products for individuals and organizations to protect personal information. Many organized cybercriminals work as successful profit-making businesses, constantly developing new fraudulent schemes to look for system weaknesses and collect personal identifiable information (PII).

However, as our new report and analysis in this article show, it is not just blatant hacker efforts that cause data breaches. Organizations and individuals who do a horrible job protecting personal data, of course, create conditions that lead to the majority of data breaches.

TRACKING THE PESKY BREACHES

Though not all organizations report data breaches publicly, at least three independent groups track and analyze breaches and publish them in reports: the Privacy Rights Clearinghouse (PRCH), Verizon and the Identity Theft Resource Center®.

Privacy Rights Clearinghouse

PRCH describes itself as a "nonprofit consumer education and advocacy project whose purpose is to advocate for consumers' privacy rights in public policy proceedings." From Jan. 1, 2005, through press time, it has tracked, analyzed and classified 2,752 data breaches and more than 542 million compromised records for inclusion in its "Chronology of Data Breaches," which is updated daily from these sources:

• The Open Security Foundation's DATALOSSdb.   
• Databreaches.net, a spinoff from www.PogoWasRight.org, has compiled a wide range of breach reports since January 2009. 
• Personal Health Information Privacy, affiliated with Databreaches.net, is a database that compiles only medical data breaches. Many of these are obtained from the U.S. Department of Health and Human Services' medical data breach list. 
• National Association for Information Destruction Inc. provides monthly newsletters that include a number of data breaches largely resulting from improper document destruction. 

The PRCH classifies data breaches as: 

• Unintended disclosure: sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail. 
• Hacking or malware: electronic entry by an outside party. 
• Payment card fraud: fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals. 
• Insider: someone with legitimate access such as an employee or contractor intentionally breaches information. 
• Physical loss: lost, discarded or stolen non-electronic records, such as paper documents.  
• Portable device: lost, discarded or stolen laptops, PDAs, smartphones, portable memory devices, CDs, hard drives, data tapes, etc.  
• Stationary device: Lost, discarded or stolen stationary electronic devices such as a computer or server not designed for mobility. 
• Unknown.  

Verizon Business

For the past six years, the Verizon Business Risk Team, in conjunction with the U.S. Secret Service (since 2009) and the Dutch National High Tech Crime Unit (starting in 2010), has prepared the annual Data Breach Investigations Report based on its analysis of more than 900 data breaches representing more than 900 million compromised records. The Verizon study classifies the breach types as from external agents, insiders, business partners and multiple parties.

Identity Theft Resource Center®

The Identity Theft Resource Center® (ITRC) describes itself as "a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft."

The ITRC list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. The group updates the list weekly. To qualify for the list, breaches must include PII that could lead to identity theft, especially SSNs. Since Jan. 1, 2005, and up to press time, the ITRC has tracked and analyzed 2,852 data breaches and more than 496 million compromised records.

The ITRC classifies its types of data breaches as from: data on the move, accidental exposure, insider theft, subcontractors and hacking.

These organizations use differing methodologies to select and classify data breaches, which allow us to view the data from different perspectives. "Data breaches are not all alike," according to the ITRC. "Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted." That is true, but a lot of personal information included in data breaches is encrypted. If organizations use the 56–bit Data Encryption Standard rather than the 128-bit Advanced Encryption Standard, then hackers can normally break key codes and return encrypted data to plain text so they can use it for identity theft.

HOLTFRETER/HARRINGTON DATA BREACH ANALYSIS REPORT

We decided we wanted to compile a data breach report for the public and anti-fraud professionals using a different classification system to provide additional breadth and depth.

Methodology

We analyzed 2,278 data breaches and 512,289,000 compromised records reported by the PRCH for a six-year period of 2005 through 2010 — Jan. 1, 2005 through Dec. 31, 2010. (Beth Givens, PRCH's director, granted us permission to use its data.)

We developed our classification system by conducting an analysis of a large sample of 300 data breaches to initially classify each of them into three broad categories: internal, external and non-traceable. We used this initial broad approach because data breaches and related comprehensive data protection legislation are typically viewed by the public and identity theft experts from an internal/external perspective. Internal and external data breaches are defined, simply, as those originating from within or outside an organization, respectively.

In the second phase of our analysis we examined all the sampled breaches included in the internal and external categories to look for useful patterns for determining specific subtypes. We then completed the classification process by placing all 2,278 data breaches for the six-year period into the following subtype categories, which we defined and used for the analysis:

IIPD: Internal — improper protection or disposal of data: For example, on Sept. 4, 2007, the University of South Carolina exposed online a number of files containing Social Security numbers, test scores and course grades.

ITF: Internal — theft of data by a current or former employee with absolute or high probability of fraudulent intent: For example, on Feb. 5, 2009, a Mooresville, N.C., dry cleaner skipped town with her clients' credit card numbers.

ITNF: Internal — theft of data by a current or former employee with low or no probability of fraudulent intent: For example, on April 27, 2007, an employee at the Caterpillar Corporation stole a laptop computer containing personal data of employees, including SSNs, banking information and addresses.

IH: Internal — hacking or unauthorized intrusion of a network by a current/former employee: For example, on March 21, 2010, a 21-year-old former Evergreen Public School employee Vancouver, Wash., pulled off a computerized payroll security breach that put more than 5,000 current and former Vancouver district school employees at risk for identity theft.

IL: Internal — loss of data: For example, on Oct. 15, 2009, the Virginia Department of Education reported that a flash drive containing 103,000 student names, SSNs, and employment and demographic data was misplaced.

XP: External — partner/third-party theft or loss of data by improper exposure or disposal: For example, on April 27, 2007, the Long Island Railroad reported that, while in transit, its delivery contractor, Iron Mountain, lost data tapes containing names, addresses, SSNs and salary figures of virtually all the employees who worked for the company.

XTF: External — theft of data by a non-employee with absolute or high probability of fraudulent intent: For example, on Feb. 2, 2009, a school volunteer at the Irving Independent School District in Texas, stole information including SSNs and birth dates of school employees and tried to buy tires at a local Sears store after opening up a line of credit using the name of one of the school teachers. A suspicious, alert employee called the police.

XTNF: External — theft of data by a non-employee with low or no probability of fraudulent intent: For example, on Aug. 1, 2009, Williams Companies Inc., in Tulsa, Okla., reported that a laptop containing personal information of 4,400 current and former employees was stolen from a worker's car.

XH: External — hacking or unauthorized intrusion of network by a non-employee: For example, on June 23, 2010, Anthem Blue Cross – WellPoint of California reported that hackers may have compromised customers' personal information after gaining access to the company's web-based tool for tracking pending insurance applications.

NA: Non-traceable — unable to determine as internal or external: For example, on June 22, 2009, numerous folders containing medical records and SSNs from Baptist Medical Center were found in a landfill.

Results? Entities Have Some Explaining to Do

Bear with us on the detailed results. Getting through these statistics will pay off. Figure 1, Record Breach Sum (below), shows the percentage of the 581,289,000 compromised records for the six-year period. As shown, approximately 13 percent were traced to the internal category, 86 percent to external and 1 percent to non-traceable. Most individuals believe that the majority of compromised records and related breaches are externally driven — an opinion probably shaped by media outlets, which tend to focus their reporting on data breaches of large organizations. 

 Figure 2, Record Breach Types (above), shows the percentages of the total compromised records traced to each of the five internal (IIPD, ITF, ITNF, IH, IL), four external (XP, XTF, XTNF, XH) and non-traceable (NA) subtype categories.

In the internal subtype categories, IIPD or the "improper protection or disposal of data," accounted for approximately 3 percent of the total compromised records; ITF or "theft of data by a current or former employee with absolute or high probability of fraudulent intent," accounted for about 6 percent; IH or "hacking or unauthorized intrusion of network by a current/former employee," was about 1 percent; IL or "loss of data," was about 4 percent, and ITNF or "theft of data by an employee with low or no probability of fraudulent intent theft," was about 1 percent. There is no dominant internal breach type, but this is somewhat expected because the total compromised records in this area accounted for only 13 percent of the overall total compromised records.

In the external subtype categories, XP or "partner/third party theft or loss of data by improper exposure or disposal," accounted for approximately 18 percent of the total compromised records; XTF or "theft of data by a non-employee with absolute or high probability of fraudulent intent," accounted for about 2 percent; XH or "hacking or unauthorized intrusion of network by a non-employee," was about 59 percent; XTNF or "theft of data by a nonemployee with low or no probability of fraudulent intent," was 8 percent, and NA or "non-traceable — unable to trace to internal or external," accounted for approximately 3 percent.

External hackers caused most of the compromised records, which is expected because they get more bang for the buck by gaining access to more data when infiltrating the networks of larger organizations. But another serious problem exists with some partners and third-party contractors who seem to be irresponsible when entrusted with the data of other organizations.

Figure 3, Case Breach Sum (below), shows the percentages of data breaches for the general internal, external and non-traceable categories. Of the 2,278 data breaches, internal accounted for 39 percent, external for 56 percent and 5 percent for non-traceable. These results are quite different when compared to the number of compromised records for internal, external and non-traceable categories, which were noted above at 13 percent, 86 percent and 1 percent, respectively. This strongly indicates that the external hackers are getting access to more records per breach than those stealing internal records.

Figure 4, Case Breach Types (below), shows the percentage of the 2,278 data breaches for the five internal (IIPD, ITF, ITNF, IH, IL), four external (XP, XTF, XTNF, XH) and non-traceable (NA) subtype categories. For internal, XP or the "improper protection or disposal of data," accounted for approximately 24 percent; XTF or "theft of data by a current or former employee with absolute or high probability of fraudulent intent," accounted for about 8 percent; XH or "hacking i.e. unauthorized intrusion of network by current or former employee," was about 1 percent; XL or "loss of data" was 7 percent, and XTNF or "theft of data by a current or non-current employee with low or no probability of fraudulent intent," was about 1 percent.

Improper protection or disposal of data dominates this subcategory, which again shows that some organizations need to tighten up their controls.

In the external subtype categories, IIPD or "partner/third party theft or loss of data by improper exposure or disclosure," accounted for approximately 7 percent of the total data breaches; XTF or "theft of data by a non-employee with absolute or high probability of fraudulent intent," accounted for about 6 percent; XH or "hacking or unauthorized intrusion of network by a non-employee," was about 18 percent; XTNF or "theft of data by a non-employee with low or no probability of fraudulent intent," was 24 percent, and NA or "non-traceable — unable to determine as internal or external," accounted for approximately 5 percent.

The pattern that exists among the total compromised records and data breaches for the general internal, external and non-traceable categories seems to be true for the subtypes. For internal types, NC or the "improper protection or disposal of records," accounted for about 24 percent of the total breaches but 3 percent of the total compromised records. XTF, or the "theft of data by a current or non-employee with absolute or high probability of fraudulent intent," accounted for about 8 percent of the data breaches and about 6 percent of the compromised records. In addition, the subtype IL, or the internal "loss of data," accounted for about 5 percent of the total data breaches but only 4 percent of the total compromised records.

The above results are similar for the external subtypes. For example, XP, or the "partner/third party loss of data by improper exposure or disposal," accounts for about 18 percent of the total compromised records but only 7 percent of the total data breaches. XH, or "hacking or unauthorized intrusion of network by a non-employee," accounts for 18 percent of the data breaches but a whopping 59 percent of the total compromised records. XTF, or the "theft of data by a non-employee with absolute or high probability of fraudulent intent," accounted for nearly 6 percent of the total data breaches but only 2 percent of the total compromised records. Lastly, XTNF, or the "theft of data by a non-employee with low or no probability of fraudulent intent," accounted for only 8 percent of the total compromised records but an amazing 24 percent of the total data breaches.

Analysis? Numerous Data Compromises Without Controls

The results strongly indicate that the organizations experiencing these data breaches lack strong comprehensive data protection programs. As a result, the personal data that organizations should control and safeguard more easily is being compromised in many ways.

For example, 26 percent of the total breaches result from the internal "improper protection and disposal of data." Examples include posting data online — including SSNs on mailing labels — giving documents or hard drives to recyclers that include personal information (how about destroying them internally?) and leaving documents containing personal data unattended in the workplace.

Do we know if any of the compromised records in this category of data breaches were used for identity theft purposes? No, but the opportunity exists. As we know, closing the door on opportunity is one of the best methods for fraud prevention.

The "protection and disposal of data" category is also directly linked to two other internal data breach and three external subtype categories. For example, if companies properly protected and/or disposed data by securing physical facilities, software and hardware, then less data, such as employee SSNs, would be lost or misplaced. And employees or non-employees would be stealing less internal and external data, such as customer debit card numbers and other personal data. Also, as we wrote earlier, organizations could better control internal and external hacking and resulting identity theft if they were required to encrypt all sensitive data with the use of the 128-bit encryption standard.

SELF-REGULATION NOT WORKING

It is obvious that many organizations need guidance in developing comprehensive data protection programs. Self-regulation has not worked; maybe federal rules might help. Because of recent national exposure on data breaches, the U.S. Congress is considering legislation on this topic. But do not hold your breath because they have been considering legislation on notification of data breaches for the past three sessions and have not passed any law. (The 2007 U.S. "Red Flags Rule" does require many business and organizations to implement a written identity theft prevention program designed to detect the warning signs of identity theft in their daily operations.)

The state of Massachusetts, on the other hand, has recently passed a comprehensive data protection law (201 CMR 17.00) containing standards and requirements directly related to the types of internal and external data breaches described and analyzed in this article.

The Massachusetts law is considered one of the strictest in the U.S. The standards and precise requirements that are paraphrased and listed below might be a model for other U.S. states, the U.S. Congress and perhaps some foreign countries for developing comparable legislation. They will also provide valuable guidance for organizations and consultants who advise them about specific elements that should be addressed in setting up a comprehensive data protection program.

The law states that "every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program. …" That includes the following standards and requirements briefly outlined by InstantSecurityPolicy.

In the section of the Massachusetts law, "17.03: Duty to Protect and Standards for Protecting Personal Information," every comprehensive information security program shall include, but not be limited to:

a. Designating one or more employees to maintain a comprehensive information security program.

b. Identifying risks to the security, confidentiality, and/or integrity of records containing personal information, and improving current safeguards where necessary, including 1) ongoing employee/contractor training, 2) employee compliance with policies, and 3) means for detecting and preventing security system failures.

c. Developing policies relating to the storage, access, and transportation of personal information outside of business premises.

d. Imposing disciplinary measures for violations of the security policy.

e. Preventing terminated employees from accessing records containing personal information.

f. Oversee service providers by 1) selecting and retaining service providers capable of securing personal information and 2) requiring service providers by contract to implement and maintain appropriate security measures for personal information.

g. Placing restrictions on physical access to records containing personal information and securely storing of this information.

h. Regular monitoring to ensure the security program is operating in the intended manner and upgrading safeguards where necessary.

i. Reviewing security measures at least annually or whenever it is reasonably necessitated by a change in business practices.

j. Documenting actions taken in response to any incident involving a breach of security, and a post-incident review of events and actions taken. 17.04 

Computer System Security Requirements

(1) Secure user authentication protocols including:

a. Control of user IDs and other identifiers. 

b. A reasonably secure method of assigning and selecting passwords or other unique identifiers.

c. Control passwords to ensure that the location and/or format does not compromise data security.

d. Restricting access to active user accounts only.

e. Blocking access after multiple unsuccessful logon attempts.

(2) Secure access control measures that:

a. Restrict access to files containing personal information to those who need such access.

b. Assign non-vendor-supplied, unique identifications and passwords to each person with computer access that are designed to maintain the integrity of the security of the access controls.

(3) Encryption of all transmitted files containing personal information when traveling across a public network or a wireless connection.

(4) Monitoring of systems for unauthorized use of or access to personal information.

(5) Encryption of all personal information stored on laptops or portable devices.

(6) Use firewall protection and reasonably up-to-date patches on Internet-connected systems that contain personal information.

(7) Use anti-virus/anti-malware software with reasonably up-to-date patches and virus definitions on Internet-connected systems that contain personal information.

(8) Education and training of employees of the proper use of the computer security system and the importance of information security.

A new federal comprehensive data protection law should also include the requirement that all government agencies, nonprofits and businesses conduct periodic audits by teams of experts to determine if they are compliant with the requirements set forth in any mandated comprehensive data protection plan. Each organization should include a section that includes an opinion on the results of the audit in its annual report, if required, or on its website, if not.

Organizations that lack strong comprehensive data protection plans would be substantially penalized.

RESTORING TRUST

Never-ending data breaches have seriously jeopardized our national security and trust in organizations to protect personal data. In the same way that the U.S. Sarbanes-Oxley Act has restored the public's confidence in our financial markets, the federal government would do well to pass a similar law to restore the public's confidence and trust in transacting business electronically.

Robert E. Holtfreter, Ph.D., CFE, CICA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash.

Adrian Harrington graduated from Central Washington University in Ellensburg, Wash., in June 2011 with a Bachelor's Degree in Economics.

(Robert E. Holtfreter thanks co-author Adrian Harrington, a former student in his fraud examination class, who volunteered to work for him as an unpaid research assistant. "He has worked hundreds of hours over the past 18 months providing outstanding intellect, leadership and work ethic in helping to conduct research and investigate the data breach area, develop our data breach classification model, analyze the data and write this article and work on others. He has a serious interest working in the fraud area and will make a great investigator." – ed.)

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.