2009 - The Year of the Mega Security Breach
In a recent Forbes Magazine article they look back at the data breaches of 2009.
First the "good" news.
According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of Nov. 17, on track to show a 50% drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting.
Now the bad.
If we play around with the data, and slice it a few different ways, some trends become apparent. The number of personal records stolen: 220 Million (2009) up from only 35 Million (2008).
The largest known breaches of 2009 by number of records stolen
- Heartland Payment Systems: 130 Million records stolen
- National Archive and Records Agency: 76 Million records stolen
- Virginia Prescription Monitoring Program: 1.5 Million records stolen
- Health Net Insurance: 1.5 Million records stolen
- Oklahoma Department of Human Services: 1 Million records stolen
- Blue Cross Blue Shield: 850,000 records stolen
- Network Solutions: 575,000 records stolen
- Jackson Memorial Hospital: 200,000 records stolen
- University of North Carolina - Chapel Hill: 163,000 records stolen
- University of California Berkeley: 160,000 records stolen
Breaches by business vertical for the top 10
- Healthcare Payers (Ins), Providers (Hospitals) and Pharmaceuticals: 3
- State Government: 2
- Academia: 2
- Finance/Banking/Credit: 1
- Federal Government: 1
- Technology: 1
Breaches by attack type for the top 10
- Web Application & Database Attacks: 5
- Physically stolen computers or hard drives: 5
Breaches by data type stolen for the top 10
- Healthcare and/or PII (Personally Identifiable Information): 8
- Credit Card Information Only: 2
In at least 50% of these attacks - enhanced application and database security controls related to incident prevention, and incident detection such as WAF, DBFW, and DAM would have proven useful. In 100% of the attacks the information stolen was valuable to a third party - regardless of business vertical. The fact that we aren't seeing Intellectual Property (IP) listed - which is arguably the fasting growing target for external attackers and malicious insiders, is more a factor of disclosure than the severity of of the attack. Consider the $400 Million in IP stolen from DuPont, or the Millions in IP stolen from Ford in October 2009.
While these numbers help demonstrate the value of data, and the level at which data is being compromised, when considering IP - this is just the tip of the iceberg.
