Nearly 13 Million Have Been Hit With Identity Theft

Data privacy experts weigh in on security breaches.

Nearly 13 million people have suffered from identity theft so far this year. That's ridiculous! Lax security threatens to hammer a nail in the coffin for privacy. So far in 2010, the Identity Theft Resource Center (ITRC) reports there have been 371 identity breaches that exposed 12,871,065 records in the United States alone. ITRC does not count stolen encrypted records. But the real total could be a lot higher. The ITRC’s breach database only includes previously published records from what the organization consider to be credible sources. Many data privacy experts believe data breach reporting needs to be improved as sometimes details of breaches are sketchy at best.

Even if you are careful and wise, the people with whom you do business can leave themselves vulnerable to cyber thieves who exploit every available weakness. Here is breakdown of identity theft breaches that threaten privacy so far in 2010, according to the ITRC:

  • Businesses have the highest percentage of breaches at 35%,
  • Medical/Healthcare make up 29.1% of the breaches,
  • Government/Military weigh in at 16.2% of breaches,
  • Banking/Credit/Financial suffered 10.5% of breaches,
  • and 9.2% of breaches occurred in Educational institutes.

Verizon is well known for its work regarding breaches. Verizon's breach report is based on consulting and 'clean up' after a breach. Earlier this year, the Secret Service started working with Verizon to leverage the VERIS framework to classify and analyze their caseload from the last two years. The Secret Service’s participation offers a new perspective to the Data Breach Investigations Report (DBIR), including what happens after a breach to identify suspects, make arrests, extradite foreign nationals, and prosecute cybercriminals. Verizon uses VERIS and released the Verizon Incident Sharing framework which has four main sections: Demographics, Incident Classification, Discovery and Mitigation, and Impact Classification.

VERIS Incident Classification Mindmap is fascinating to play with and turns “who did what to what (or whom) with what result” into a form more suitable for trending and analysis.

Private data can be lost in a number of ways, but I tried to track down if most breaches by hack happen as a results of using Windows as an OS or if they are more a result of lax security. Detailed information on data breaches is very difficult if not impossible to track down for the record.

Wade Baker, Director of Research and Intelligence, Verizon Business, replied, "The majority of breaches occur on the Windows platform, but it is certainly not exclusive. Based on our experience, most breaches do not exploit patchable vulnerabilities but rather poor configuration. When we do see vulnerability exploits, they aren't 'zero days' and, in fact, the patch has usually been available for over a year. The above is especially true for the larger breaches."

Disclosure of data breaches will be mandatory for all UK organizations within a few years, starting in May 2011 when ISP and telecom companies will be required by law to disclose data breaches under the current European Union data protection directive.

DatalossDB and the Open Security Foundation provide details of data loss including, incidents by breach type. I asked DatalossDB.org: What will it take for U.S. breach reports to be made available to the public and include very specific details of why they were breached?

An Officer of the Open Security Foundation (OSF), (the parent 501(c)(d) that runs DatalossDB.org, responded, "A miracle? While we'd all like to see more information associated with a breach, companies will strongly dispute the need for it. Some will cite 'ongoing investigation' while others will claim that such information only gives sensitive information to the next attacker. The only way I see a mandate for more information, especially of a technical nature, is if it happens slowly without companies realizing it."

Do you think enterprises would be more inclined to have better security if detailed breach reports were made public, the how and the why of it?

DatalossDB.org: "They would be more inclined to use the current budget in areas they

perceive to be a higher risk. I don't think any breach, no matter how large, or how simple it was to cause, will really change the way enterprises operate in the way of security."

Do you think details of poor security management or specifics of hacked exploits would benefit or harm other enterprises with similar lax security in place?

DatalossDB.org: "This is hard to argue either way. On one hand, you could argue that such

information could be used as a template for attacking other similar companies. On the other hand, I think it is pretty clear there is no shortage of smart attackers out there, that are ahead of the curve and don't need such information to be made public."

If detailed breach reports were made available to the public, do you think enterprises with lax security would act faster to close the same holes?

DatalossDB.org: "Yes. Where a company may be spending a large part of their security budget on one aspect, it may get them to shift the spending to more appropriate areas."What do you think? Would publicly releasing detailed breach reports harm or help protect privacy and security? 

Copyright © 2010 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!