Data breach incidents more than double, but record exposure declines

According to a bit of numbers-crunching by the Open Security Foundation, which runs the international DataLoss database, and security consultancy Risk Based Security, just over half of the exposed records in 2012 came from Shanghai Roadway, a Chinese unit of Dun & Bradstreet. Four employees were found to have sold 150 million customer records for roughly 23 cents each – an incident that resulted in the closure of the business unit, fines for Dun & Bradstreet, and fines and jail time for the employees.

Their analysis also found that hackers were the most common culprit behind data breaches, as opposed to loss, theft or inadvertent data mishandling by employees. Again, the numbers are deceptive: while hacking accounted for 1,802 (68.2%) known breaches for the year, it represented only a fifth (22%) of the records exposed.

Conversely, insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records. Malicious insiders, as in the Dun & Bradstreet case, were behind 7.1% of all breaches, while insider errors accounted for 8.9% of incidents and 5.1% of exposed records.

When it comes to the types of data stolen, credentials like user ID, name, password, email and other access data was exposed in more than 44% of incidents – far and away the biggest set of data compromised. Credit-card numbers were exposed in 6.4% of the incidents, account information in 7.4%, medical data in 9.4%, date of birth in 11.2%, social security number (or non-US equivalent) in 14.4% and address in 18.8%.

Important to note in all of this is the fact that the report authors said to keep in mind that the number of records exposed was not reported in 20.6% of breaches – a factor that could significantly change some of the stats. After removing the single incident of 150 million and any incidents for which the organizations did not disclose the number of records exposed, on average, 55,863 records were exposed per incident in 2012, the report found.

What’s Hot on Infosecurity Magazine?