Data Theft Restrospective

SSI © copyright. All rights reserved. Passing on and copying of this document, use and

communication of its contents not permitted without written express authorization of SSI

or one of its affiliate company

S S I Security Software International

DATA THEFT RETROSPECTIVE





INTRODUCTION

Workers turned "cyber moles" and crime syndicates

armed with malicious software are looting digital data

from businesses as losses reportedly topped a trillion

dollars in 2008. California computer security firm

McAfee presented the findings in January 2009 at the

World Economic Forum in Davos, Switzerland, with a

warning that the world's dismal financial straits are

exacerbating data theft woes.

"This report is a wake-up call because the current

economic crisis is poised to create a global meltdown in vital information." Insights for the first-ever

worldwide study "on the security of information economies" were gathered from more than 800 chief

information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States. The

companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last

year, and spent approximately 600 million dollars repairing damage from data breaches.

"Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene

Spafford, a US university computer science professor who is executive director of The Center for

Education and Research in Information Assurance and Security (CERIAS). "Just like gold, diamonds or

crude oil, intellectual property is a form of currency that is traded internationally, and can have serious

economic impact if it is stolen."

Pressure on firms to cut costs is resulting in weakened computer security measures, making them more

tempting targets for information thieves. Thirty-nine percent of the CIOs in the study said they believe vital

company information is more vulnerable because of current economic conditions.

There has been an increase in "cyber mafia gangs" breaking into corporate databases. "Cybercriminals

are increasingly targeting executives using sophisticated phishing techniques," the study states.

"Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords,

account numbers, or other sensitive information. Such attacks customized to harpoon specific powerful

executives are often referred to as "whaling."

The dour economy also raises the chances of companies being looted by employees out to supplement

shrinking paychecks or improve job prospects with future employers. "An increasing number of financially

challenged employees are using their corporate data access to steal vital information. As the global

recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing

valuable corporate data to make themselves more valuable in the job market." The study also pinpointed

China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors.

The following report focuses on data breaches/thefts/losses in the UK, US and Australia with compelling

facts, figures and examples included. Most of organizations are quite reluctant to release information

regarding their Data Loss, Theft and Breaches or are unaware of it when it does occur. But what is clear

and outlined from the information that is publicly available, the scare of the problem is both large and

growing.

Key Points

� Organized and opportunistic

data losses of $1 Trillion

� Increase internal & external

threats of data

� IP losses of $4.6B in 2008

� $600M to repair data

breeches





DATA THEFT - 2008 WAS A GREAT YEAR GLOBALLY

2008 shows that it was not a good year for data protection, data loss and data theft. It was also a bad year for those charged with looking after our data. The ITRC (Identity Theft Resource Center), a US nonprofit and respected organization dedicated exclusively to the understanding and prevention of identity theft has completed a detailed study into data breaches in 2008. The organization has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help individual to protect data and assist companies in their activities. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of data breaches and in particular identity theft.

Their report, (http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf), not

unsurprisingly, showed a sharp increase in the amount of data theft in 2008. With almost a 50% rise in “reported” data thefts/breaches, solely in the US from 446 in 2007 to 656 in 2008.

It was also reported to the ITRC that in the UK 35 million data records were lost or stolen and that “insider data theft” increased to 16% (almost double the 2007 figure). Sadly only a fraction of the

records (2.4%) were encrypted, which is a tragedy, as it is simple way to protect the data.

Let us have a closer look at the UK, the US and Australia.





THE UK-DATA LOSS IN 2008

2008 is the the year the public began to really hear about data loss; with numerous example of data loss throughout the year, and reports into data loss. The reports where pretty damning, and the scale of data loss was staggering, 100,000s of records lost regularly and the HMRC (Her Majesty's Revenue and Customs Ministry) losing data at around 10 items a day. Despite the huge amount of data lost in the UK, and reports from data loss elsewhere in the world, the UK government did not manage to effectively introduce policies to prevent it.

1. GOVERNMENT

HMRC (Her Majesty's Revenue and Customs): A report by Kieran Poynter into the loss of 25 million records in 2007 by the HMRC states that “serious institutional deficiencies” and states that there losses were “entirely avoidable”. Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people

NHS (National Health Service):

• 9 NHS trust admit losing millions of records, 4 out of 5 NHS trusts lose medical records

• List of NHS losses produced by the Freedom of Information Act (it’s a long article!)

• 66,000 medical records lost (including names, home addresses, phone numbers and a

description of the disabilities of 45,000 people, including children and pensioners) • The NHS also moved a lot of records out to other company with 300 million medical records

moved out of the NHS and the patients data being shared with council

MoJ (Ministry of Justice) and Home Office

• MoJ lost 4 CDs containing criminal case information; the CDs were un-encrypted, giving people access to highly confidential material.

• Ministry of Justice lose 5,000 records

• Home Office lose 84,000 prisoner records

• UK Government lost 3 million driving license records, on an un-encrypted hard drive

MoD (Ministry of Defense): The MoD lost almost as much data as the NHS, with a sample of the data loss highlighted below.

• The MoD lose 600,000 records, on an un-encrypted laptop • MoD admit losing 650 laptops

• RAF lose 50,000 records

• Army lose 1.5 million records

DWP: The Department for Work and Pensions lose USB Drive and Foreign Office: FCO admits losing

10,000s of records.





Individuals within the government: A couple of high profile individuals lost data as well as all of the departments listed above. Hazel Blears, former Communities Secretary lost her laptop, which was un-encrypted, and “Critical Terror Files”, where left on a train.





PRIVATE SECTOR

Below is an outline of data theft statistics posted on December 28, 2008 from different resources. Despite the variety of resources, they all say the same thing: Data theft is common, it happens regularly, and everyone knows it is going on.

HSBC: HSBC did not have a good year for data loss:

• HSBC lost an entire server, the data was not encrypted

• HSBC lose 37,000 records, on an un-encrypted media.

• HSBC, along with UAE and others also suffered a data theft from their banks

Virgin: Virgin Media were censored by the ICO following their data loss

2008 Finjan Report (Finjan is a leading provider of secure web gateway solutions for the enterprise market). According to their Web Security Survey of July 2008, almost all participating organizations perceive cybercrime as a major business risk, including loss of customers, brand name damage and potential lawsuits. The survey also found that the majority of the CIOs and CSOs are more concerned about data-stealing malware entering their networks than about downtime and loss of productivity due to virus infections. In the survey, we asked organizations to answer questions about web security and cybercrime. Data theft is seen as a far greater problem than loss of productivity due to virus infections. Due to the sophistication of today’s cybercriminals and cybercrime attacks, 33% of the respondents were convinced that their organization had never been breached by malware, while 25% reported that they had been breached, with an overwhelming 42% of respondents who were not sure or could not exclude a possibility of a breach.

Total survey respondents amounted to 1,387 responses, 54% of which have direct involvement in IT/Security. Of this group, 21% IT personnel, 16% Security Consultants, 11% IT/Security Directors and Managers and 6% CIOs/CSOs. The two largest industry sectors represented are banking 15% and Government 14%.

91%

73%

68%

54%

47%

73%

25%

42%

0% 20% 40% 60% 80% 100%

Cybercrime as a major business

risk

Concerned about data theft

IP and sensitive information at

risk of data-theft

Worried about loss of employee

data

Customer information at risk

(Financial sector)

Healthcare patients medical

records as potential target

Data breach reported

Breach Possibility

Extract from 2008 Finjan Report





2. SME SECTOR

Small to medium sized businesses (SMEs) are failing to acknowledge and prevent data theft, new research shows.

A study, conducted by security software firm Prefix IT, sought the views of 1000 UK workers and found that half of SME managers say preventing data theft is not ‘even on the radar', with 29 percent of all other managers saying the issue is not recognised at board level. The report also revealed that workers leaving the company posed the biggest threat to security, with 65 percent admitting considering taking data, such as sales leads, database information, business contacts and sensitive documents, and nearly two thirds admitting to past stealing. This number rose to nearly three quarters of those surveyed in the 45-54 age group. Overall 36 per cent revealed they might download company data to help in a new job. However, only 7 per cent of managers surveyed believe their organization has been affected by data theft. But, nearly a third of managers said that defending against data theft is a ‘key priority for the business'. This number dropped to 22 per cent for small SMEs (51-250 workers) and 28 per cent for medium-sized SMEs (251-500 employees). Graeme Pitts-Drake, CEO of Prefix IT, said: "Whilst trust in staff is laudable, it is professionally negligent not to protect company assets appropriately through policy and technical means. Failing to communicate with staff about unacceptable activities is tantamount to endorsing theft." According to Pitts-Drake, despite the limited resources available to SMEs, this is something they should be concerned about. "Whether it is a large or small organization, data theft is a massive problem," he said.

"It is happening but managers don't realise it is happening - they are burying their heads in the sand.

Smaller businesses have more of a family mentality and a culture of trust, but data theft is going on

around them and they should be very worried," he added.

In an earlier study, conducted in September, 78 per cent of the workforce surveyed said they owned a personal device capable of downloading and storing data. Moreover, it found that 30 per cent of workers believe company information is rightfully theirs to take.





THE US – DATA BREACHES IN 2008

ITRC sources (http://www.idtheftcenter.org/)

Information management is critically important to all

of us - as employees and consumers. For that

reason, the Identity Theft Resource Center has been

tracking security breaches since 2005, looking for

patterns, new trends and any information that may

better help us protect data and assist companies in

their activities.

The ITRC breach list is a compilation of data

breaches confirmed by various media sources

and/or notification lists from state governmental

agencies.

This list is updated daily, and published each Monday. To qualify, breaches must include personal

identifying information that could lead to identity theft, especially the loss of Social Security numbers.

ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique

individual, and the exposure of which will constitute a data breach.

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis.

The ITRC Breach Report presents individual information about data exposure events and running totals

for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity

involved in the data exposure. Breaches are broken down into five categories, as follows: business,

financial/credit, educational, governmental/military and health care. Other more detailed reports are

generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a

number of categories. What they all have in common is that they usually contain personal identifying

information in a format easily read by thieves, in other words, not encrypted.

The ITRC tracks five categories of data loss methods:

• Data on the Move

• Accidental Exposure

• Insider Theft

• Subcontractors

• Hacking

Key Points

� Reports of data breaches in the U.S. rose

almost 50% in 2008

� Only 2.4% of all breaches involved data

where encryption or other strong

protective measures were in place � Only 8.5% involved password protection...

Malware attacks, hacking � Insider theft accounted for nearly 30% of

breaches

� Insider theft more than doubled between

2007 and 2008





Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the

development of the criteria used when assessing breaches and the integrity of its sources. For example,

breaches that occurred in any given year or a previous year are included in the year in which the breach

was publicized. Each selected incident is required to have been published by a credible media source,

such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is

real and credible. Larger breaches often have multiple attributions, and we usually cite more than one

source. As an authority on data breach exposures, the ITRC is frequently asked if there are more security

breaches now than ever before. This question is hard to answer. More companies are revealing that they

have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the

criminal population is stealing more data from companies, and data breaches are being more frequently

publicized.

US Security Breaches 2008

Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008

breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over

last year’s total of 446.

In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within

the five groups that ITRC monitors. The financial, banking and credit industries have remained the most

proactive groups in terms of data protection over all three years. The Government/Military category has

dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in

use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached

data was unprotected by either encryption or even passwords.

The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider

theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some

cases affected dozens of companies. It is important to note that the number of breaches reported does

not reflect the number of companies affected.

The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists

from state governmental agencies. ITRC uses several websites to help search for verifiable breaches,

such as www.databreaches.net (aka Pogowasright), privacy.net, and www.datalossdb.org. To qualify

breaches must include personal identifying information that could lead to identity theft, especially the loss

of Social Security numbers.





The report by ID Analytics states that those who have had their data stolen deliberately, e.g by theft from an employee with access to the data, are 12 times more likely to be victims of fraud than those who have their data lost by accident (e.g missing laptop). This, while not surprising, is a figure worth knowing when managing security risks.

According to Privacy Rights Clearinghouse: More than 244 million pieces of data have been lost or stolen in 2008 up to November.

According to the Identify Theft Centre there have been 449 separate incidents of data breaches, in the US, in the first 9 months of 2008. This is more than the whole of 2007. The ITC 2008 Reports that over 40% of the incidents of data breaches/data theft the number of records lost or exposed are not reported or fully disclosed.

Data Theft/Data Breaches – by industry:

Data Theft/Data Breaches – by cause:

Business /

Commerce

37%

Educational

20%

Healthcare /

Medical

16%

Government

/ Military

15%

Banking /

Finance

12%

Hacking /

External

14%

Lost Laptop

/ Media

23%

Theft by

employee

18%

Accidental

16%

Sub

contractor

11%

Other

18%





AUSTRALIA – 2008 DATA BREACHES

(Source SC Magazine Aug 11, 2009)

� Two in three Australian organizations experienced a serious data breach in

the last twelve months, according to a survey by the Ponemon Institute.

The Institute, commissioned by data encryption company PGP, paid 482 IT security professionals in

Australia to answer questions around the protection of their data.

Some 69 percent of respondents said they experienced at least one data breach in the last 12

months, up from 56 percent in 2008. One in four of those companies that experienced a data

breach suffered five or more breaches in the 12 months, up 22 percent on 2008.

Of those organizations that did admit to losing data, 65 percent chose not to inform the public - a figure

the report's authors said was "sure to add to the demand for Australia to adopt data breach notification

laws similar to those in the United States."

The Federal Government has spent the last few months reviewing privacy laws, the first draft of which

was due to be released to the public within a week. But no timeline has been set for the introduction of

mandatory data disclosure laws, as recommended by the Australian Law Reform Commission and

the Office of the Privacy Commissioner.

In the interim, the Office of the Privacy Commissioner has produced a voluntary guide to managing

data breaches. The survey also revealed some interesting data on what motivates organizations to

protect their data. Of those organizations that use data encryption technology to protect against the leak

of confidential data, only 15 percent said they did so for regulatory reasons (citing the Federal Privacy

Act, National Privacy Principles and PCI DSS requirements) whereas 70 per cent used encryption to

protect their brand and reputation.

� Mandatory data loss laws could curb security breaches

More than half of Australasian SMEs claim to have experienced security breaches. Releasing

Symantec's 2009 Global Small and Mid-sized Business (SMB) Security and Storage survey in Australia

and New Zealand today, executives for the security vendor said security breaches included instances

where information has been subject to unauthorized access, often where the data is lost, stolen, or

hacked.

Steve Martin, SMB director at Symantec told iTnews that, by contrast, only 29 per cent of companies in

the US and 27 per cent of SMBs in Canada experienced breaches.

"There are a couple of reasons for those differences," he said.

"Some of these companies don't have their own IT staff therefore they don't have the knowledge or skills

to keep their security up-to-date.





"Also, companies in the US are governed by data mandatory disclosure law, which is in place in several

states across the country."

Martin said the law required an organization to inform their customers of any loss of their personal

information. The law gave organizations a myopic view on IT security and forced organizations to invest

in the right protection.

However in Australia there are no such mandatory disclosures and therefore data protection isn't in the

forefront of an SMB's mind.

"The current privacy laws in this region were written 23 years ago by Justice Michael Kirby when there

was no Internet or mobile phone," he said. "The Australian Law Reform Commission is looking at some

three hundred changes to local privacy laws, which includes data disclosure. The proposed changes are

currently with Senator John Faulkner and there should be results by the end of this year, so organizations

can move forward."

Symantec 2009 Global SMB Security and Storage Survey drew responses from 1,425 small and medium

businesses in 17 countries with 100 responses from Australia (50) and New Zealand (50). The size of

companies of respondents ranged from 10 to 500 employees.





CONCLUSION

Data theft is a growing problem primarily perpetrated by office workers with access to technology such as

desktop computers and hand-held devices capable of storing digital information such as flash drives,

iPods and even digital cameras. Since employees often spend a considerable amount of time developing

contacts and confidential and copyrighted information for the company they work for they often feel they

have some right to the information and are inclined to copy and/or delete part of it when they leave the

company, or misuse it while they are still in employment.

While most organizations have implemented firewalls and intrusion-detection systems very few take into

account the threat from the average employee that copies proprietary data for personal gain or use by

another company. A common scenario is where a sales person makes a copy of the contact database for

use in their next job. Typically this is a clear violation of their terms of employment.

The damage caused by data theft can be considerable with today's ability to transmit very large files via

e-mail, web pages, USB devices, DVD storage and other hand-held devices. Removable media devices

are getting smaller with increased hard drive capacity, and activities such as podslurping are becoming

more and more common. It is now possible to store 80 GB of data on a device that will fit in an

employee's pocket, data that could contribute to the downfall of a business.

Is there an answer to data loss, theft and breaches?

As Mark Pullen of RSA has outlined in September 2008, best practices need to be in place by businesses

to avoid enterprise data loss, such as:

� Understand what data is most sensitive to the business.

� Know exactly where the most sensitive data resides.

� Understand the origin and nature of your risks:

• Do you have sensitive data in databases?

• If so, in which database tables, which columns or fields?

• Do you have sensitive data in file shares, which folders and files?

• Do you have high-risk data on laptops, whose laptops?

• Is your intellectual properly unwittingly exposed through custom-built applications?

• Are your unannounced company financial reports illicitly finding their way onto laptops,

PDAs, and USB drives?

� Select the appropriate controls based on policy, risk, and where sensitive data resides.

• Manage security centrally

• Audit security to constantly improve





CONTACTS

REFERENCES

� www.idtheftcenter.org

� www.Myidscore.com

� www.finjan.com

� www.cerias.purdue.edu

� www.datalossdb.org

� www.databreaches.net

� www.ponemon.org

� www.laptoptheft.org

� www.eweek.com

� www.techworld.com.au

� www.mcafee.com

� www.rsa.com

� www.crn.com.au

� www.ironkey.com

SSI Pacific Australia

Level 27, 101 Collins Street

Melbourne, VIC

Tel: + (61) 3 9 653 9163

Fax: + (61) 3 9 653 9307

SSI Pacific New Zealand

Level 16, Vodafone on the

Quay

157 Lambton Quay,

Wellington 6140

New Zealand

Tel: + (64) 4 460 5263

Fax: + (64) 4 460 5252

SSI Pacific Hong Kong

Levels 25 & 30, Bank of

China Tower

1 Garden Road, CENTRAL

Hong Kong, China

Tel: +852 (2251) 8795

Fax: +852 (2251) 1618

Documents

Data Theft Restrospective