Reported Data Breaches in 2010 - Numbers to Increase in 2011

In 2010, 662 breaches were reported exposing a total of 16,200,000 records. This equates to approximately 24,471 records per breach. Sixty-two percent of these breaches involved Social Security numbers and 26% of 2010’s breaches involved credit or debit cards.

The most common ways breaches occurred include hacking into computer systems (17%), theft or loss of laptops, flash drives (16.6%), insider actions (15.4%), and accidental exposure (10.7%).

According to an article published by Identity Theft Resource Center, an estimated 10% to 15% of breaches are actually reported. With cybercrime and data thefts on the rise, breaches will increase, but will the number of reported breaches also grow?  As state and federal government data breach regulations and PCI and FTC rules become more stringent and are enforced, we will likely see more publicized breaches.

New York Tourist Credit Card Information Hacked

110,000 credit card numbers of New York City tour patrons have been stolen by hackers using a SQL injection attack. SQL injection attacks are one of the oldest and simplest forms of internet attacks. The hackers were able to access names, addresses, e-mail addresses, credit card numbers with expiration dates and security codes.

The organization, CitySights NY, has begun notifying customers and offering them one year of free credit monitoring as well as a 50% off coupon for a future tour. A spokesperson for CitySights NY’s parent company, Twin America,  says that they are taking steps to improve data security. They have locked down server access and have installed application firewalls.

US Bank Accused of Data Breach Cover-Up

Two small business owners find themselves at the center of a class action lawsuit against banking giant US Bank over the accusation of a large scale data breach cover-up. The family-owned online Paintball retailer, Paintball Punks, received 9 orders that were placed using US Bank credit cards. As was standard protocol, the credit card security numbers and billing addresses were verified. Weeks later, US Bank customers began disputing the charges and US Bank recouped their losses by doing "charge backs" where they essentially take back the money that was given to the retailer.


These charge backs cost Paintball Punks over  $11,000, while this amount seems small, the class action law suit was filed due to the unknown scope of the alleged breach. After investigating the claims by US Bank, one owner claims that a US Bank employee divulged that there had been a breach, but it did not go public. The alleged cover-up is in violation of state and federal data breach laws. U.S. Bank maintains that there was no breach and that the claims made in this lawsuit are wholly without merit.

Bank of America Breached: Employees Take Customer Data

According to papers filed last week at the New York Supreme Court, four former Bank of America employees left the organization for another wealth management firm, and brought an unnamed number of customer databases with them.

The employees felt that they were entitled to the information in the databases based on a contact sharing protocol that many banks agree to during job negotiations. Bank of America denies agreeing to this protocol.

Further hearings on this case will take place in January. This case comes as Bank of America is rumored to be preparing for the posting of damaging leaked documents pertaining to the mortgage crisis, by the website WikiLeaks.

Ohio State University Exposes 760,000 Identities – Largest Educational Institution Breach of 2010

The Ohio State University recently revealed a large data breach.  This breach has exposed 760,000 identities and has the potential to cost the university $4 million. OSU has notified all affected persons and has indicated that the servers accessed stored Social Security numbers, dates of birth, and addresses. Although there is no evidence that the data was stolen, when personally identifiable information is accessed there is potential for identity theft to  occur.

The $4 million dollar cost associated with the breach includes consulting, notification costs, credit security, and a call center open for individuals with concerns.  OSU has begun working with consulting firms trying to improve security.  Many steps must be taken to secure this large University’s data.

Of the 68 recorded breaches in educational institutions, this breach has affected the largest amount of records.  760,000 records affected is a very large number of records and this is just one of the many breaches the University has had. Ohio State University averages 10 data breaches per year and virtually all of these involve Social Security numbers.

McDonald’s Loses Customer Information to Hackers

Malicious hackers stole an undetermined number of customer information from another company’s database. Arc Worldwide, a company hired by McDonalds to send promotional email messages, was hacked and McDonald’s customer data including names, phone numbers, postal addresses, and e-mail addresses were accessed. The data does not include Social Security Numbers, credit card numbers, or any financial information.  McDonalds’ customers who had information in this database have been contacted and advised not to respond to anyone claiming to be from McDonald’s and asking for personal or financial information.

Do you entrust a business partner with any confidential information? Do you know if they have the proper processes in place to prevent a leak? What about your own information, is it secure?  Contact Attevo about a risk assessment.  It could mean the difference between safe data and a data breach.

Read more about the McDonald’s breach here.

Being honest about DLP in light of evolving malware and insider risk

We were recently posed the following question on a DLP message board: 

Zeus and other trojans today encrypt data before they get sent over regular channels (HTTP) to the drop sites. It's also easy for users to install open source encryption software (e.g. TrueCrypt) and encrypt files before they get copied to USB drives. 

The issue here is that DLP relies on content analysis and packet inspection, but if it can't be understood, DLP doesn't seem to be helpful.Short of draconian measures like blocking all USB ports or blocking all data that cannot be identified, are there practical ways that DLP or other means can help?

For the sake of discussion, let's leave aside techniques like better access control, application whitelisting, or tighter file permissions for now. I'd also like to leave aside data-at-rest scanning to preemptively encrypt and/or move to secure locations. The assumption is that users keep copies of sensitive files on their local PCs, unencrypted. Let's assume we're talking about a typical large enterprise that can't force their employees to only use certain applications and can't prevent them from using social networking sites.

Mark Mahovlich, Director of Business Development at Attevo, provides his insight:

Outside of the obvious choice of disabling the administrative capabilities of a managed endpoint, the reality is you would have to deploy one, I say all, of the following content security practices:

1. Endpoint Controls - If you have the right endpoint technology deployed, you can stop the user action before it moves to the encrypt or transmit phase.  Policy would define enforcement action based upon the content and the end user activity. For example, "Deny the ability to copy and paste confidential data (even a subset of the data) into any unapproved application (email, IM, HTTP post, etc.)  In your, case, "deny any Encryption Activities that are not my company approved Encryption Technology,"  This would stop any third-party encryption, and allow you to automatically de-crypt and scan data content (for compliance to Policy) for anything the end user did encrypt manually.
2. Content Gateway -  Deploy Content Gateway technology that is capable of de-encrypting SSL Encrypted traffic.  Why is this important?  Google Mail.  In this use case, we will assume the endpoint is not being managed, and hence does not have any ability to block end user activities with confidential data (as in #1).  The end user accesses Google Mail and attaches a confidential document or pastes confidential date into the Email.  Because Google Mail is SSL encrypted traffic, most DLP solutions would not be able to monitor, identify and take action on the confidential data per Policy.  Therefore, you need a Content Gateway to de-encrypt the Google Mail traffic allowing your DLP solution to analyze the confidential data and provide enforcement actions per Policy.  
3. DLP Network Monitor -  Deploy a DLP solution that allows you to monitor, analyze and enforce action on network protocols (HTTP, HTTPS, FTP, IM, SMTP, CIFS, NFS, and other P2P channels).  The solution would detect traffic that was encrypted using a  third-party product, and would be set by Policy to deny that transmission.

Why all three layers?  It provides as much Risk Mitigation as possible, given that end users will find many paths to send data and perform their job function.  Most data leakage is simply misuse (see the Secret Service Findings for hard data).  However real life experience tells us that the truly malicious end user will try more than one channel to reach his goal.  People are very creative. 


In addition, technology moves at a rapid pace.  As seen in the Google example above, organizations will go to great lengths to secure their application driven revenue.  Consider the security concerns and breaches being seen today simply with Web 2.0 technologies.   What will Web 3.0 bring?  Single Point solutions simply will not provide the coverage necessary for an organization to adequately protect itself.