This study shows that untrained employees are the linchpins for most data breaches. Organizations can help prevent them if they're filled with savvy and aware employees at all levels.
In one of the worst data breaches in 2015, a cybercriminal gang called Carbanak used a simple spear-phishing email scheme to fool employees in more than 100 banks in 30 nations throughout the world. Gang members penetrated employees' computers with malware that they used to record keystrokes and take screenshots of computers so they could gain access to key employee account credentials and privileges. The criminals now could observe every step in daily cash transfers, impersonate bank officers and steal up to $1 billion in cash withdrawals directly from the banks and from ATM machines. (See " The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide," Viral News, Feb. 16, 2015 at Kaspersky Lab.)
Data breaches are increasing in volume and scope. The aim of this article, and two subsequent ones, will be to help protect public- and private-sector organizations by demonstrating a methodological framework for classifying and analyzing data breaches based on their internal and external causal factors. Our study's results will help organizations devise security awareness and data protection programs as part of their risk management strategies. They will better safeguard records that contain personally identifiable information (PII) data and other sensitive material.
As this opening case shows, untrained employees are the linchpins for most data breaches. Our study will show that organizations can prevent these frauds if they're filled with savvy and aware employees at all levels who — similar to fraud examiners — know how to detect and prevent them in their unique spheres.
The case is one of the largest on record although not representative in magnitude of the thousands that various organizations have been identifying and tracking. These include the Privacy Rights Clearinghouse (PRCH), Verizon and the Identity Theft Resource Center® (ITRC).
PRCH, according to its website, is known as "A nonprofit consumer education and advocacy project whose purpose is to advocate for consumers' privacy rights in public policy proceedings." From Jan. 1, 2005 through Dec. 31, 2015 PRCH has reported 4,717 data breaches and more than 895 million compromised records in its Chronology of Data Breaches document, which is updated daily from a variety of sources.
The amount of reported compromised records in the chronology are grossly understated; in almost half of the reported data breaches the number of compromised records is listed as "unknown."
The PRCH methodology classifies data breaches as:
Since 2004, Verizon has produced its annual "Data Breach Investigations Report" and has validated thousands of data breaches from its caseloads. In its report for data breach activity in 2014 it documented 79,790 security incidents that led to 2,122 confirmed data breaches, which resulted in $400 million in losses and 700,000 compromised records.
The data sources are from 70 organizations. Verizon classifies data breaches into four categories: external agents, insiders, business partners and multiple partners.
According to the ITRC, it's a "nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft." The ITRC compiles data breaches that are confirmed by various media sources and/or notification lists from state government agencies.
The ITRC has reported nearly 6,000 data breaches and more than 8.5 million compromised records From Jan. 1, 2005 through Dec. 31, 2015. For 2015, as of December 29, it reported 780 data breaches and 178 million compromised records. These are the ITRC's data breach classifications: data on the move, accidental, exposure, insider theft, sub-contractors and hacking.
Because these organizations use differing methodologies to select and classify data breaches the public can view the data from different perspectives. "Data breaches are not all alike," according to the ITRC. "Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain … PII in a format easily read by thieves, in other words, not encrypted." (See Data Breaches, Identity Theft Resource Center.) That's true, but a lot of PII that cyberthieves steal via data breaches is encrypted. Because many organizations still use the 56-bit Data Encryption Standard rather than the 128-bit Advanced Encrypted Standard or better to encrypt their data, hackers normally can break key codes and return the encrypted data to plain text, which they easily use for identity theft.
To provide more breadth and depth to the data breach classification models that these three reporting organizations use, we developed a new model to compile a three-part report for the public, organizations of all types and anti-fraud professionals by using a unique system to identify and classify data breach causal factors and general industry sectors and their related sub-sectors.
Part one here will focus on an analysis of the impact of the identified internal, external and non-traceable causal factors on reported data breaches and their related compromised records.
Part two of the study in the July/August issue will focus on an analysis of the impact of the reported data breaches and their compromised records on the general industry sectors and their related subsectors.
Part three of the study in the September/October issue will focus on an analysis of the common problems underlying the interrelationships between the internal and external causal factors plus specific recommendations to help organizations better manage and reduce the risks associated with data breaches.
(For an analysis of the general data breach problem see Data Breaches, Part 1: Corporations Need to Publicize Breaches, by Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, Fraud Magazine, September/October 2011, and for U. S. Congress data protection legislation prior to 2011 see "Data Breaches, Part 2: Gauging the Effectiveness of Data Breach Notification Legislation," by Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, Fraud Magazine, November/December 2011.)
We factor analyzed (looked for a distinct pattern of commonalities in the data) the 4,461 data breaches and related 889 million compromised records from the PRCH Chronology of Data Breaches for the 10-year period from 2005 through 2014 to identify their internal, external and non-traceable causal factors plus the general industry sectors and their related subsectors.
Internal and external data breaches are defined, simply, as those originating from within or outside an organization, respectively. As we mentioned above, non-traceable data breaches are those that couldn't be classified as internal or external because of lack of information provided by the PRCH.
After we completed the identification process, we determined and analyzed the impact of the reported data breaches and compromised records on each of the causal factors.
We identified the following data breach causal factors — including five internal, four external and a non-traceable factor — in the 10-year study for analysis. We define them below and include recent cases. The cases are all from the PRCH Chronology of Data Breaches.
XH: External – hacking or unauthorized intrusion of a network by a non-employee. On Nov. 9, 2015, Comcast reported an external data breach in which 590,000 customer email addresses and passwords were compromised and posted on the underground Dark Web for sale to fraudsters.
XTNF: External – theft of data by a non-employee with low or no probability of fraudulent intent. On Oct. 14, 2015, the University of Oklahoma College of Medicine - Department of Obstetrics & Gynecology notified patients of a data breach when a physician's laptop including 7,963 records was stolen from his car.
XP: External – partner/third party theft or loss of data by improper exposal or disposal. On Nov. 4, 2015, Avis Budget Group notified customers of a data breach when the third-party provider that manages its open enrollment process accidentally sent a file to another company that's also its client. Avis couldn't determine the number of compromised records.
XTF: External – theft of data by a non-employee with absolute or high probability of fraudulent intent. On Sept. 25, 2015, Horizon Blue Cross Blue Shield of New Jersey notified customers of a data breach when several individuals pretended to be doctors or other health care professionals and obtained member identification numbers and other PII of 1,100 members.
IIPD: Internal – improper protection or disposal of data. On Oct. 9, 2015, Care Plus Health Plans notified 1,400 customers of a data breach when an error in processing their statements exposed their PII to other members. The machine that processed these statements had a programming error that inserted two statements into one envelope instead of just one.
ITF: Internal – theft of data by a current or former employee with absolute or high probability of fraudulent intent. On Sept. 25, 2015, the owner of a Chinese restaurant, the Ginger Blossom, discovered that one of her employees stole customer credit and debit card information from an unknown number of customers.
IH: Internal – hacking or unauthorized intrusion of a network by a current/former employee. In July 2014, The Park Hill School District informed current and former Park Hill students and employees of a data breach to its system. A former employee downloaded files containing Social Security numbers and personal files of an unknown number of employees onto a hard drive without authorization.
ITNF: Internal – theft of data by a current or former employee with low or no probability of fraudulent intent. On June 12, 2015, a thumb drive containing 33,702 patient records was stolen from an unlocked locker at the Redwood Regional Medical Group in Santa Rosa, California.
IL: Internal – loss of data. On March 18, 2015, the Yellowstone Boys and Girls Ranch, which treats mental health issues for children and teens, reported that a binder containing PII of an unknown number of patients was lost or destroyed sometime in 2013.
NA: Non-traceable. On April 13, 2015, Stanislaus Surgical Hospital notified individuals of a data security breach that occurred on April 5 of that year, which included the PII of an unknown number of individuals.
Figure 1, the pie chart, "Data breaches – general causal factors," below, shows the percentage of the 4,661 total data breaches for the 10-year period that were traced to the general internal and external non-traceable causal factors. The internal causal factors accounted for 38 percent of the data breaches; external, 47 percent; and non-traceable, 15 percent.
What stands out here is the efficiency of the external threats as they account for slightly less than 50 percent of the data breaches while capturing 86 percent of the compromised records (as shown in Figure 3 later in the article).
Figure 2, "Data breaches – specific causal factors" below, shows the percentages of the 4,661 data breaches for the 10-year period for each of the five internal (IIPD, ITF, ITNF, IH and IL), four external (XP, XITF, XIH and XH) and non-traceable (NA) causal factors.
For the internal causal factors, IIPD or "improper protection or disposal of data" accounted for approximately 21 percent of the total data breaches; ITF or "theft of data by a current or former employee with absolute or high probability of fraudulent intent" accounted for about 9 percent; ITNF or "theft of data by a current or former employee with low or no probability of fraudulent intent" was responsible for less than 1 percent (rounded and shown as 0 percent); IH or "hacking i.e. unauthorized intrusion of network by a current or former employee" was about 2 percent; IL or "loss of data" was 5 percent.
Improper protection or disposal of data stands out as a very serious insider threat, which indicates employees' relatively sloppy attitude or irresponsibility about the control of data in their organizations.
For the external causal factors, XP, or "partner/third party theft or loss of data by improper exposure or disclosure" accounted for approximately 7 percent of the total data breaches; XTF or "theft of data by a no-employee with absolute or high probability of fraudulent intent" accounted for 4 percent; XTNF or "theft of data by a non-employee with low or no probability of fraudulent intent" accounted for 11 percent; XH or "hacking or unauthorized intrusion of network by a non-employee" was 25 percent; and N/A or "non-traceable – unable to determine if internal or external" accounted for approximately 15 percent.
Figure 3, "Compromised records – general causal factors" below, shows the percentage of the approximately 889 million compromised records for the 10-year period traced to the general internal, external and the non-traceable causal factors. As shown, approximately 86 percent of the compromised records were traced to external, 10 percent to internal and 4 percent to the non-traceable causal factors, respectively.
Because national media outlets typically focus their attention on hackers, the public is conditioned to believe that data breaches and related compromised records are externally driven. But as shown in Figure 4 they're grossly incorrect on specific causal factors of compromised records.
Figure 4, "Compromised records – specific causal factors" below shows the percentage of the total compromised records for the 10-year period traced to each of the five internal (IIPD, ITF, ITNF, IH and IL), four external (XP, XTF, XTNF, and XH) and non-traceable (NA) causal factors.
For the internal causal factors, IIPD or the "improper protection or disposal of data," accounted for approximately 3 percent of the total compromised records; ITF or "theft of data by a current or former employee with absolute or high probability of fraudulent intent," accounted for approximately 3 percent; IH or "hacking or unauthorized intrusion by a current or former employee" was less than one-half percent (rounded and shown as 0 percent); IL or "loss of data," was about 3 percent and ITNF or "theft of data by an employee with low or no probability of fraudulent intent" was less than 1 percent (rounded and shown as 0 percent).
For the external causal factors, XP or "partner/third party theft or loss of data by improper exposure or disposal" accounted for approximately 11 percent of the total compromised records; XTF or "theft of data by a non-employee with absolute or high probability of fraudulent intent," accounted for about 1 percent. XF or "hacking or unauthorized intrusion by a non-employee" was about 71 percent; XTNF or "theft of data by a non-employee with low or no probability of fraudulent intent" was 3 percent; and NA or "non-traceable – unable to trace to internal or external" accounted for approximately 5 percent.
What can we take away from this analysis? Because external hackers are more skilled at their "trade," they get more "bang for their buck" when they infiltrate organizations' networks and search for vulnerabilities to steal PII and other sensitive corporate records. They're responsible for only 25 percent of the data breaches but a whopping 71 percent of compromised records. Nevertheless, all the other internal and external causal factors account for 85 percent of the data breaches and, as a result, represent serious threats that organizations need to address.
Part two of the study in the July/August issue will focus on the analysis of the impact of the reported data breaches and their compromised records on the general industry sectors and their related subsectors.
Robert Holtfreter acknowledges Central Washington University's Faculty Research Program in its support of this work.
Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.
Adrian Harrington, an Associate Member of the ACFE, is Holtfreter's research assistant and a former student in his Fraud Examination class. His email address is: aaharrington87@gmail.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
