Hackers Cede Influence To Corporate Insiders and Laptop Thieves


Another take on the data breach problem.

Dan Geer has analyzed data pulled together by attrition.org, a non-profit Web site run by a group of self-described curmudgeons who track data losses, "expose industry frauds and inform the public about incorrect information in computer security articles," among other things.

Geer is the man who was fired in 2003 by @stake, a security company he founded, after he published a paper arguing that Microsoft's dominance of the software industry created a software monoculture that threatened national security. Microsoft disagreed. Geer is now the chief scientist at Verdasys, which tracks data flows for corporate clients.

From 2002 through 2006, the rate of data breaches increased, Geer found, but the type of breach changed.

Hacks and frauds by outsiders grew less common, while thefts and leaks by insiders increased. Digital breaches became less common than physical breaches like lost hardware.

Missing or stolen laptops are a much bigger problem than most people think, said Troy Allen at Kroll Fraud Solutions, who spoke to me last year. Only in the last couple of years did companies even start considering them to be security breaches. "The vast majority of breaches" are never reported, he said, and of those that are, "the vast majority never hit the popular press."