As a follow-up to my initial analyses and commentary, I did some additional analyses of ITRC’s 2008 data:

Sector by Year Comparison

Although ITRC noted that there was an overall increase of 47% in breach reports from 2007 to 2008, there was no uniform increase across sectors, as I previously noted and as Fig. 1 below illustrates.

Fig 1. Financial and business sectors showed the largest increases proportionally from 2007 to 2008.

In my previous analysis, I also pointed out that although ITRC had described the financial sector as being the most “proactive” in terms of breaches, their own data indicated that breaches in that sector had more than doubled from 2007 to 2008. A more refined analysis of their financial sector data, illustrated in Fig. 2, below, indicates that the increase was primarily due to significant increases in Hacking and Insider Theft incidents:

Fig 2. Financial sector breaches for 2007 vs. 2008, by breach method.

Other data reported by ITRC indicate that financial sector breaches accounted for 52.5% of records breached for those incidents where number of records involved was reported. Thus, although the total number of breaches in the financial sector data was smaller than that reported for other sectors: (1) there was a significant increase from 2007 to 2008, (2) the proportional increase in incidents exceeded all other sectors except for the business sector, and (3) the financial sector accounted for over half of all records breached for breaches where we have such data. On some level, then, the sector did not keep pace with hardening its security against increased threats in 2008. It is important to note that one incident, the BNY Mellon lost backup tapes, accounted for many of the records in the Financial sector and in the Data on the Move category.

Breach Method

As reported by ITRC:

Mal-attacks, hacking and insider theft, account for 29.6% of those breaches that reported the causal factor. Insider theft, now at 15.7%, has more than doubled between 2007 and 2008. On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2% of those breaches that indicate cause.

Inspection of the frequency data suggest a somewhat different picture, however. As illustrated in Fig. 3, below, while the number of Data on the Move incidents decreased in two sectors, Education and Military/Government, it remained basically the same or increased in the other three sectors, and showed an overall increase for the year on the order of 10%. In terms of percent of records, Data on the Move accounted for over 50% of breached records for incidents where numbers were reported.

Fig 3. Breaches involving ITRC’s “Data on the Move” category.

Similarly, Accidental Exposure incidents (not shown here) decreased only in the Military/Government sector, and either remained the same or increased in all other sectors, showing a small overall increase in 2008. I would not characterize those patterns as “noteworthy improvement,” unless by “noteworthy improvement,” we mean, “didn’t report significantly worse numbers while other breach methods did.”

Insider Theft incidents, which ITRC reports more than doubled from 2007 to 2008 for incidents where cause was indicated, are depicted in Fig. 4, below, and indicate an even grimmer picture than suggested by their summary. The total number of incidents more than tripled between 2007 and 2008. In the business sector, there was an 8-fold increase, and in the financial sector, more than a 4-fold increase.

Fig 4. Breaches involving ITRC’s “Insider Theft” category.

Whether these statistics indicate an actual increase in the number of insider incidents or simply better detection of such incidents is unknown, but in either event, they highlight the ongoing need for better personnel screening and more restrictions on access to data, as well as auditing of access logs.

So how bad was 2008 compared to 2007? Are there more incidents or are we just finding out about more? We still don’t know because there is no uniform and national reporting requirement.

Over on Emergent Chaos, Adam has posted some comments on the Maine breach study recently reported in news.

A poignant update to John’s tribute thread today by his son Gerry. John would have been 77 today.

It is hard to believe that it almost a year since we lost him.  Scroll down the tribute thread to see a picture of John that Gerry took at his birthday party last year.

The Identity Theft Resource Center (”ITRC”) issued its end of year press release today. Not surprisingly, the number of breaches reported in 2008 was up significantly from 2007, with their counter hitting 656 U.S. breaches for the year, an increase of 47% over last year’s total of 446 breaches in their database.  Some of the reported increase may be due to states implementing new reporting requirements, and some may be due to the Maryland Attorney General’s office making its central registry of breach reports available online, but even after taking the latter into account, there is still a significant increase from 2007 to 2008.

According to the ITRC’s analyses, the financial, banking and credit industries

have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.

The business sector accounted for over one third of the breaches in their 2008 database:

	2008 - # of Breaches	2008	2007	2006
Business	240	36.6%	28.9%	21%
Educational	131	20%	24.8%	28%
Government/Military	110	16.8%	24.6%	30%
Health/Medical	97	14.8%	14.6%	13%
Financial/Credit	78	11.9%	7%	8%

The ITRC also analyzed cause of breach for those reports that indicated causes:

Mal-attacks, hacking and insider theft, account for 29.6% of those breaches that reported the causal factor. Insider theft, now at 15.7%, has more than doubled between 2007 and 2008. On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2% of those breaches that indicate cause.

Additional analyses are available on their site, as are last year’s reports and analyses.

But did breaches in the educational sector actually decrease or did they just account for a smaller percent of all increases? And did businesses account for a greater percent of breaches because they experienced a relatively greater number of increases in that sector or is their relative percentage greater because some other sectors dropped significantly?

Because I find limited value in looking at percent of total breaches by sector, I looked at some of their data using simple frequency counts. For 2008 vs. 2007:

	2008	2007
Business Sector	240	129
Educational	131	111
Government/Military	110	110
Health/Medical	97	65
Financial Credit	78	31

Whereas ITRC’s analysis might lead to the conclusion that the financial section is the most proactive sector because they represent less than 12% of all breaches, inspection of the raw frequency data suggests a somewhat different picture:  reported breaches increased over 250% from 2007 to 2008. That trend indicates that security in the financial sector is not keeping pace with previous threats and new threats to data security.

In interpreting ITRC’s data, then, and in addition to all of the cautions and qualifiers they appropriately include, we also need to keep other factors in mind, not the least of which is that when Massachusetts analyzed its breach reports for the first 10 months after its law went into effect, 75% of the reported breaches were from the financial sector, a statistic that does not seem to “fit” with what ITRC found based on published media reports or those reports available on a few states attorney general web sites.

Trying to compare sectors or breach types as percentage of total breaches in the sample is fraught with qualifiers because the sectors are not equally represented in the population. If businesses account for 36.6% of all breaches in the sample, we really cannot conclude anything meaningful from that without knowing how many businesses there are, total, that might be subject to breach reporting so that we can compare that to how many financial entities there are that would be subjected to reporting laws, how many educational institutions, etc. Inter-sector comparisons may not be as valid as intra-sector comparisons from year to year.

Similarly, saying that a sector decreased from one year to the next in terms of percent of total breaches may provide a misleading impression in the absence of additional data. Did their relative contribution change because all of the other sectors experienced significant increases or decreases, or did their relative contribution change because their rate of breaches changed when other sectors did not change — or some combination of the above?

Perhaps we should be asking what the military/government sector did right this year, as their reported number of breaches remained the same while all other sectors increased.

In any event, although the overall totals increased 47% in 2008, the fact that financial sector incidents more than doubled and business sector incidents nearly doubled are grim predictors for 2009.

None of the above comments should be construed as any criticism of ITRC, who has done an outstanding job trying to keep track of the many breaches that are reported each year.  If anything, the criticisms are a reflection of the continuing frustration of trying to make sense of data when we do not have random, equal, or representative samples.  Making any sense of breach data continues to be like comparing apples, oranges, and Fruit Loops.

Hopefully, the FOI project that is under way will provide us with more data that will help us get a clearer picture of what is going on, although given the differences in state reporting laws, there will always be questions.

There is a high recidivism rate for crime, and although there are some small differences among types of crime, overall the rates are disturbingly high.

I wonder if the same is true of ID theft.  I don’t think I’ve seen any statistics on that, but a recent press release by the FBI got me wondering about it.  The release described how Linda Lee David was sentenced to four years in prison and then one year of supervised release for ID theft committed while she was on supervised release for a former conviction for wire fraud where she served some time in jail.  In both cases, David stole co-workers’ (or employer’s) SSN and used it to obtain credit cards that she used.

I’m trying to think of whether I’ve seen any other reports where people were convicted of ID theft after having been previously convicted and serving time for the crime.  I think there may have a been few cases in the media like that.  Perhaps we should expect to see more.

Over in the UK, a Birmingham man who is blind is having ongoing problems get a Braille PIN from his NatWest bank.

Despite numerous requests and 7 weeks of aggravation, the bank still can’t seem to get this sorted.  But what really caught my attention was this part of the news story:

Even if the bank send me out a PIN in normal print, staff at my local branch will refuse to read it out to me because of data protection.

Really? Oh come on, people!