2007 Data Breaches Not As Bad As We Think


The roster of identity thefts for the past year is as disturbing as it is lengthy. According to the Identity Theft Resource Center, there were 446 known data breaches in 2007, resulting in the compromise of more than 127 million records.

By comparison, 312 breaches and 19 million compromised records were reported in 2006, and 158 breaches and 65 million compromised records reported in 2005. While the severity of breaches varies with each incident, the volume of breaches is up 180 percent in two years.

Two questions come to mind: Why does this number keep going up, and what is the actual cost of all these breaches? If we're to believe the Ponemon Institute's research, the cost of remediation rose to $197 per compromised record. If that's true, the cost of data breaches in 2007 tallied a staggering $25 billion.

If the same number is applied to the TJX's data breach--the worst thus far with 94 million records exposed--the retailer's cost alone should be $18.5 billion. That number is complete fallacy, since court filings and publicly declared fines put the actual cost - mostly penalties - at $256 million. Some would say the cost of repairing the reputation of TJX--parent company of clothing retailers TJ Maxx and Marshall's--is much higher. The reality, however, is that TJX's sales are up 7 percent this year and its stock price remains squarely between its 52-week high and low for the year.

Of course, $25 billion wasn't spent on remediating all security breaches; the entire North America security market is valued somewhere between $25 billion and $40 billion for hardware, software and services.

Not every security breach means compromised data. The list of compromises compiled by the Identity Theft Resource Center includes numerous incidents in which data was exposed but not compromised. This accounts for at least some of the missing costs. More surprising is the names of the victims themselves--companies that seemingly should have known better or had the resources to prevent the breaches. They include:

>> Dai Nippon Printing - 8.6 million records of people targeted in a direct-mail campaign were stolen by a former employee. >> Fidelity National Information Service, Certegy Check - 8.5 million credit cardholder records stolen by a former employee. >> Department of Veterans Affairs - 3.8 million records compromised in two separate incidents. Half were stolen by a stolen auditor; the balance compromised when a disk was lost. >> Massachusetts Division of Professional Licensure - 450,000 private records were mistakenly exposed during routine records disclosures. >> Gap - 800,000 records were exposed by the clothing retailer when a contractor's laptop containing job applicants' data was stolen. >> SAIC - 867,000 records of military personnel and dependents were compromised when a government contractor failed to encrypt data in transit. >> Neiman Marcus Group - 160,000 records at the high-end retailer were compromised when equipment was stolen from its offices.

In fact, the list is replete with federal and state government agencies, health care institutions and insurance providers, and universities. Some would say universities remain the most vulnerable targets because of the demand for academic openness runs counter to security. Government agencies, meanwhile, have little excuse, especially since state and federal lawmakers are considering legislation to stem the tide of identity theft and data breach losses.

What's interesting about this list is how data is exposed. Home Depot--the world's largest retailer of home improvement products--is on the list for allowing 10,000 employee records to be compromised. Merrill Lynch, one of the world's largest financial institutions is on the list for exposing 33,000 employee records. And Memorial Blood Centers in Minnesota is on the hook for allowing the compromise of 268,000 donor records. All three cases were the result of a stolen laptop. In fact, stolen laptops and misplaced disks account for the majority of the compromises.

Is this a case for full disc encryption? No, it's an indictment of security policies and practices. Encryption of data at rest or in transit is a means for protection. What's criminal about stolen laptops is that the data was on such mobile devices and media in the first place. This is a failure of the practices of users and the inability or unwillingness of organizations to prohibit removal of sensitive data.

Believe it or not, some of these breaches are justified. Yes, there is no excuse for mishandling sensitive data or carelessness with company property. However, security is expensive in the products, operating and maintenance, and lost opportunity (after all, conventional wisdom holds that security rarely opens new revenue opportunities). If you're an executive given a choice between spending money on security to prevent breaches that may happen verses investing in product development, sales and marketing for revenue that will happen, what would you do? Chances are you'd do what TJX did and delay security improvements in favor of revenue opportunity.

Part of the problem with identity theft is credit cardholders are insuring the banks and processors against compromises. Under federal law, account holders are only responsible for $50 of any fraudulent purchase, meaning they can have their accounts compromised and used for tens of thousands of dollars in fraudulent purchases and their total responsibility is $50. Yes, it takes time to get identity theft off credit reports, which equals money to the accountholder. But we all pay for identity theft in the form of high interest rates; credit card issuers pass along the cost of fraud and defaulted accounts to the masses. Change the law and make individuals more directly responsible for fraud costs and things will start changing quickly.

This time next year we'll be recounting another record year for data breaches and identity thefts, throwing around a bunch of imaginary numbers about the cost and losses, and pointing figures at the digital boogiemen who perpetrate these crimes. The reality is none of this will change until we start changing the corporate policies around data access and protection, inject more personal responsibility into the equation and start using more common sense across the board.

Lawrence M. Walsh is editor of Baseline magazine and noted security journalist. Share your thoughts on data protection, security breaches and identity theft at lawrence.walsh@ziffdavisenterprise.com.