Immunize your organization

A major finding of this study is that contrary to public opinion data breaches have hit organizations of all sizes and in every type of industry. Nobody is safe. Immunize your employees to prevent the insidious infections.

This probably doesn't surprise anyone, but cybercriminals continue to seriously breach databases in global organizations in every industry and profession in private and public sectors. If your company hasn't been breached — and if you haven't imposed the latest safeguards — you probably should anticipate a breach in the near future and prepare for public humiliation, down time and expense.

Of course, your organization should be proactive in designing a risk management strategy that includes security awareness and data protection programs for your employees at all levels to help to protect personally identifiable information (PII), company data, and other sensitive information and resources. Your job? Regardless of your job title, as a fraud examiner, you must reinforce the risk message and publicize the magnitude of the negative impacts of data breaches and compromised records on organizations and specifically in their industry sectors.

These three data breach cases, which rank in the top 15 in 2015 from the Privacy Rights Clearinghouse's (PRCH) Chronology of Data Breaches help to illustrate the severity of the problem.

In July 2015, a third-party contract employee hired by the National Guard unwittingly caused a data breach when the contractor mishandled a transfer of data to a non-accredited data center. The breach possibly exposed the Social Security numbers, home addresses and other PII of approximately 850,000 current and former National Guard members — dating back to 2004.

In February 2015, health insurer Anthem announced an embarrassing breach, which began in February 2014, that exposed an amazing 80 million patient and employee records including the unencrypted names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, income data and more.

In May 2015, CareFirst BlueCross BlueShield discovered a data breach in which external hackers invaded a database and compromised unencrypted names, birth dates, email addresses and subscriber information of 1.1 million members.

The firm said that member password encryption prevented the cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data. However, if the firm had used the basic DES system and not an advanced encryption system to encrypt its data, the hackers could've easily used software to convert the encrypted data back to plain text and then use it for identity theft.

National media outlets tend to report data breaches that only have affected major national corporations and government agencies, so the public is unaware that the data breach problem is much broader in scope. The results of our study prove this point.

Public awareness of data breaches

This article focuses on the identification of general industry sectors and related subsectors and the impact that data breaches and compromised records are having on each of them. (We reported on the classification of data breaches and related compromises by causal factors in Breaking Breach Secrecy, Part 3, in the January/February 2012 issue of Fraud Magazine.)

The PRCH, Verizon and the Identity Theft Resource Center (ITRC) have also developed different methodologies to classify them according to industry sectors.

PRCH

The PRCH classifies industry sectors into these categories:

• Businesses – other.
• Businesses – financial and insurance services.
• Businesses – retail/merchant.
• Educational institutions.
• Government and military.
• Health care – medical providers.
• Nonprofit organizations.

Verizon

Verizon classifies industry sectors into these categories:

• Accommodation.
• Administrative.
• Agriculture.
• Construction.
• Education.
• Entertainment.
• Financial services.
• Health care.
• Information.
• Management.
• Manufacturing.
• Mining.
• Other services.
• Professional.
• Public.
• Real estate.
• Retail.
• Trade.
• Transportation.
• Utilities.
• Unknown.

ITRC

The ITRC classifies data breaches according to these industry sectors:

• Business.
• Banking/credit/financial.
• Educational.
• Governmental/military.
• Medical/health care.

Holtfreter and Harrington data-breach, industry-sector classification model

As you can see, these three data-breach reporting organizations use different methodologies to classify data breaches and related compromised records by industry sectors. To expand the awareness of the severity of the data-breach problem, we developed a methodology to create a new industry-sector classification model that not only identifies general industry sectors but also their related subsectors.

The results of this new classification model is useful in comparing the impact that data breaches and related compromised records have on these different industry sectors, which, in turn, provides a pathway for determining the applicability of private- and public-sector solutions to private- and public-sector problems.

Methodology

We used a database of 4,461 data breaches and more than 890 million compromised records reported by the PRCH for the years 2005 through 2014 to undertake a factor analysis to identify general industry sectors and their related subsectors and then determine the impact of the data breaches and compromised records on each of them.

Results

Our study identified five general industry sectors, including business, government, education, health care and nonprofit plus their 16 related industry subsectors — nine for business, five for government and two for education. We didn't identify any discernable subsectors for the health care and nonprofit general industry sectors.

We defined the health care general industry as "including doctors, nurses and other health care practitioners/professionals and physical facilities such as hospitals, medical clinics and pharmacies." Here's a typical data breach in this industry from the PRCH "Chronology of Data Breaches": On Aug. 3, 2015, Sentara Heart Hospital reported two hard drives were stolen that contained patients' PII of 1,040 patients including names, birth dates, diagnoses, types of procedures and notes.

We defined the nonprofit general industry as "formal organizations in the U.S. that qualify for tax-exempt status under the Internal Revenue Code." Here's a typical data breach in this category: On Sept. 16, 2014, Bay Bio, a nonprofit agency, reported a hack to its payment system, which compromised credit card information of individuals paying for membership dues.

Following are the definitions of each of the 16 subsectors related to the business, education and government general industry sectors accompanied by real cases from the PRCH "Chronology of Data Breaches."

BFINV: Business – finance/investments, which mainly consists of asset and hedge fund management and custodial and brokerage services. On Oct. 9, 2015, E-Trade notified its customers that a computer hacker broke into its database and might have compromised 31,000 records dating back to 2013.

BFB: Business – finance/banking, which includes banks, credit unions, consumer finance, pay-day loan and other financial companies involved in the lending of money and the issuance and processing of debit/credit bank cards. On Oct. 1, 2015, the American Bankers Association reported that a hacker stole 6,400 user records, including email addresses and passwords used to make purchases and posted them online.

BFIS: Business – finance/insurance, which consists mainly of insurance underwriters, carriers, insurance agencies and brokerages involved in annuity, life, health, and property/casualty retirement products. On Sept. 15, 2015, Blue Cross BlueShield of North Carolina notified its customers that two incidences of a data breach might have exposed an unknown number of customer records.

BPS: Business – professional services, which includes auditing, tax and legal services. On July 17, 2015, Richard Berger, CPA, notified customers that a theft of external hard drives from his home exposed PII including tax information, Social Security numbers, investment and account information, dependents, beneficiaries and contractors.

BM: Business – manufacturing, which is most commonly applied to industrial production in which raw materials and labor are transformed into finished goods. On July 11, 2014, Boeing Corporation announced that a hacker from a Chinese aviation firm invaded its computer system in an attempt to steal data about U. S. military aircraft.

BR: Business – retail or individuals and companies engaged in the selling of finished products to end consumers. On May 12, 2015, Starbucks reported a hacker gained unauthorized access into its mobile application and drained dollars out of customer accounts, credit cards and PayPal accounts.

BTM: Business – telecommunications/media, which consists of all media technology companies, including telephone, radio/TV, internet, newspapers and film. On April 8, 2015, the U.S. Federal Communications Commission fined AT&T $25 million after an investigation revealed a data breach occurred at three of its international call centers. Employees gained unauthorized access to customer names and Social Security numbers and sold them to third parties who wanted the PII to unlock stolen cell phones available on the market.

BH: Business – hospitality, including lodging, restaurants, event planning, theme parks, transportation and cruise lines. On Sept. 25, 2015, Hilton Hotels reported that hackers might have gained access to point-of-sale registers in their gift shops and restaurants in many of their hotels across the U.S. and compromised customer credit card information.

BO: Business – other, including all businesses not included in the other business subsectors. On April 15, 2015, a 19-year-old hacker pleaded guilty to stealing 11,216 log-in credentials from Microsoft/X Box One that he used to steal software and other internal documents from Microsoft and other gaming companies from 2012 through 2014 valued at $100 million.

EHE: Education – higher ed, which includes all post-high school educational institutions. On July 5, 2015, Harvard University reported a data breach that accessed usernames and passwords of individuals affiliated with eight of their colleges and administrations.

EK12: Education – K-12 or kindergarten through high school academic institutions. On July 2, 2015, Bonita School District reported a hacker gained access to a database on its high-school server and stole students' PII and changed their grades.

GF: Government – federal, including all agencies, excluding the military, funded by the U.S federal government. On Nov. 10, 2014, the U.S. Postal Service reported it suspected that Chinese hackers broke into its computer systems and stole PII from more than 800,000 employees.

GM: Government – military, including all military agencies and installations funded by the U.S. federal government. On Aug. 13, 2015, the Hill Air Force Base reported that an employee sent names and Social Security numbers of 500 employees to his personal email account, which was against company policy.

GS: Government – state, which includes all non-educational entities funded by a state government. On Aug. 13, 2015, the state of Minnesota reported that driver license information of 18 individuals was exposed when a password-protected portal was mistakenly opened online.

GK: Government – county, which includes all non-educational entities funded by a county government. On Oct. 22, 2015, the Osceola County Juvenile County Court of Clerks reported that it mistakenly exposed PII of children on its website.

GC: Government – city, including all non-educational entities funded by a city government. On March 1, 2014, the city of Detroit reported that hackers accessed 1,700 employees' PII.

The impact of the reported data breaches and compromised records on each of the general industries and their 16 related sub-sectors follow.

Data breaches

Figure 1: Total data breaches – general industries (below) shows that for the 4,461 total data breaches reported for the 10-year period for the five major general industry sectors, 1,908 or approximately 42.8 percent were traced to the business sector, 778 or 17.4 percent to the education sector, 783 or 17.6 percent to the government sector, 888 or 19.9 percent to health care and 104 or about 2.3 percent to the nonprofit sector. Although none of the general industry sectors had anything to rejoice about in managing the risks associated with data breaches, the business sector stands out as having the most problems.

Figure 1: Total data breaches - general industries

Business industry subsectors

Figure 2: Total data breaches – business industry subsectors (below) displays the total data breaches traced to each of the nine business industry subsectors. It shows that for the 1,908 total data breaches reported for the 10-year period for the nine business industry subsectors 290 or 15.1 percent were traced to business – finance/banking (BFB), 204 or 10.7 percent to business – finance/insurance (BFIS), 83 or 4.4 percent to business – finance/ investments (BFINV), 174 or 9.2 percent to business – hospitality (BH), 148 or 7.8 percent to business – manufacturing (BM), 95 or 5 percent to business – professional service (BPS), 291 or 15.3 percent to business – retail (BR), 105 or 5.5 percent to business – telecommunications (BTM) and 518 or 27 percent to the business – other (BO) subsector.

Figure 2: Total data breaches - business industry subsectors

Government industry subsectors

Figure 3: Total data breaches – government industry subsectors (below) shows that for the 783 total data breaches reported for the 10-year period for the five government industry subsectors 301 or 38.4 percent were traced to government – state (GS), 165 or 21.1 percent to government – city (GC), 118 or 15.1 percent to government – federal (GF), 111 or 14.2 percent to government – county (GK), and 88 or 11.2 percent to the government – military (GM) subsector.

Figure 3: Total data breaches - government industry subsectors

Education industry subsectors

Figure 4: Total data breaches – education industry subsectors (below) shows that for the 778 total data breaches reported for the 10-year period for the two education industry subsectors, 652 or 83.8 percent were traced to education – higher education (EHE) and 126 or 16.2 percent to education – K-12 (EKT) subsectors. 

Figure 4: Total data breaches - education industry subsectors

Compromised records

Figure 5: Total compromised records – general industry sectors (below) shows that for the more than 890 million compromised records reported for the 10-year period for the five major general industry sectors about 691 million or approximately a whopping 77.7 percent were traced to the business sector, more than 18.73 million or 2.1 percent to the education sector, 155.5 million or 17.5 percent to the government sector, 19.1 million or 2.1 percent to health care and more than 5.8 million or .67 percent to the nonprofit sector. The business sector stands out again as the biggest loser regarding compromised records.

Figure 5: Total data breaches - education industry subsectors

Business industry subsectors

Figure 6: Total compromised records business industry subsectors (below) shows that for the 691 million total compromised records reported for the 10-year period for the nine business industry subsectors 225.6 million or 32.7 percent were traced to business – finance/banking (BFB), 14.8 million or 2.1 percent to the business – insurance (BFIS), 7.8 million or 1.1 percent to business – finance/ investments (BFIV), 1.4 million or .2 percent to business – hospitality (BH), 105.1 or 15.3 percent to business – manufacturing (BM), 981,487 thousand or .1 percent to business – professional service (BPS), 233.5 million or 33.8 percent to business – retail (BR), 4.2 million or .6 percent to business – telecommunications (BTM), and 97.5 million or 14.1 percent to the business – other (BO) subsector.

Figure 6: Total compromised records - business industry subsectors

Government industry subsectors

Figure 7: Total compromised records – government industry subsectors (below) shows that for the 155.5 million compromised records reported for the 10-year period for the five government industry subsectors 37.5 million or 24.1 percent were traced to government – state (GS), 2 million or 1.4 percent to government – city (GC), 2.9 million or 1.9 percent to government – federal (GF), 3.5 million or 2.2 percent to government - county (GK), and 109.6 million or 70.4 percent to the government – military subsector.

Figure 7: Total compromised records - government industry subsectors

Education industry subsectors

Figure 8, Total compromised records – education industry subsectors (below) shows that for the 18.74 million compromised records reported for the 10-year period for the two education industry subsectors, 18.2 million or 97.4 percent were traced to education – higher education (EHE) and 486,833 or 2.6 percent to the education – K-12 subsector.

Figure 8: Total compromised records - education industry subsectors

Problem is bigger than anyone thought

What can we take away from this analysis? By expanding the general industry sectors into their subsectors, it's obvious the data breach problem is much broader in scope than recognized by the general public.

Organizations in all industry sectors need to increase their awareness of the data-breach problem and develop risk management strategies that stress the importance of security awareness and data protection programs for their employees at all levels and third-party contractors.

The author acknowledges that this research was partially funded by the Faculty Research Fund through the School of Graduate Studies and Research at Central Washington University in Ellensburg, Washington.

Part three of the study in the September/October issue will focus on (1) an analysis of the common problems underlying the internal and external causal factors and (2) specific recommendations to help organizations better manage and reduce the risks associated with data breaches.

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.

Adrian Harrington, an Associate Member of the ACFE, is Holtfreter's research assistant and a former student in his Fraud Examination class. His email address is: aaharrington87@gmail.com.