As 2013 comes to a close, it’s not too early to peek at current breach stats and see what this past year has brought. For this type of research, I rely on the Identity Theft Resource Center for an up to date tally of data exposures. So what are the major trends for 2013?
With over 13 million records taken (as of November 19), we’re running a little behind last year’s 17 million and 2011’s 22 million records.
The ITRC categorizes and evaluates breach differently than this blog’s other favorite breach resource, Verizon’s Data Breach Investigation Report. But both studies are in overall agreement that financial, banking, retail, and in recent years online services constitute the majority of incidents and records.
There’s every reason to believe this trend will continue despite best efforts of IT and data security pros.
Then there is the healthcare category, which has shown a significant uptick in ITRCs 2013 statistics: 3.5 million records and 227 incidents, up over 1 million records (!) from 2012. There’s been other research pointing to a rise in medical data loss, and according to the Ponemeon Institute, also an increase in medical-related identity theft.
If you go by DBIR’s numbers, medical data breaches are quite small, perhaps under 1% of all incidents (and records taken).
What’s going on here? The discrepancy is due to unstructured data finding its way to laptops, thumb drives, and even entire disk drives, which are reported stolen or misplaced. By the way, you can see for yourself the extent of this issue in a post we did on the top sources of medical data losses.
Using the VERIS methodology, the DBIR considers this data “at risk” for exposure and doesn’t count it as an actual data breach. In other words, a stolen laptop with a spreadsheet containing 100,000 patient records with social security and health insurance records is not a verified breach since there’s no evidence the file was looked at. ITRC takes the opposite view—a lost device is a data exposure.
I’m willing to take a middle ground on this. An ordinary thief is likely interested in stealing a laptop for himself or perhaps selling it—not the data— to someone else. However, cyber gangs are getting smarter every nanosecond and are always on the prowl for new data sources: hospitals and healthcare facilities provide a target rich physical environment.
But there’s a larger trend that’s being revealed: data that may have originally started out as structured records (in a database) is subsequently exported into a human-readable format that then propagates through the file system and eventually ends up on someone’s personal device.
This is not an issue just for healthcare alone. In a way, the ITRC stats come at just the right time: they serve as warning for IT security staff everywhere to keep an eye on unstructured data, especially in BYOD environments. You have to believe that cyber thieve are eyeing this area as well.