1 Information Security & Data Breach Report 2011 / 2012 Annual Review
2 2 Information Security and Data Breach Report Data breaches and large scale cyber attacks continue to make headlines for entities of all types, including corporations, government agencies and hospitals or health systems. Newspaper headlines such as Epsilon Data Breach to Cost Billions in Worst-Case Scenario or Sony Data Breach Cleanup to Cost $171 Million, have become common. 1 Because sensitive and/or personal information is often involved, the post-breach responsibilities of companies and other entities are becoming more strictly regulated. In response, companies are putting together tactical plans to handle potential data breaches or cyber attacks along with other risk management plans. In this new environment, companies must protect themselves both externally and internally from these types of issues. Navigant is pleased to release its inaugural annual update of its Information Security and Data Breach Report. This report is designed to review data breach activity during 2011 and 2012, spotlight notable breaches, and identify longitudinal trends and other major changes taking place in the information security arena. The goal of this publication is to answer the following principal questions: 1. What is the total number of breaches per year? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? METHODOLOGY USED FOR IDENTIFYING DATA BREACHES Navigant has captured all major data breaches disclosed publicly during the last two years (January 1, 2011 December 31, 2012). As part of the methodology, we evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 2 The incidents identified in this report involve breaches in which physical and electronic records were hacked, lost, stolen, or improperly exposed or discarded. Data Breach Dashboard Healthcare entities accounted for the largest percentage of data breaches identified across either year (2011: 39% vs. 2012: 40%). Hospitals were the type of Healthcare entity most likely to experience a data breach; 41% in 2011 and 35% in The time between discovery and disclosure for Corporate entities increased 27% year over year (2011: 47 days vs. 2012: 61 days). The average number of records per breach was 39% higher in 2012 than in 2011 (2011: 35,546 vs. 2012: 49,429). The average total cost of a data breach in 2011 was $6,895,975. The average total cost in 2012 was $9,292, WHAT IS THE TOTAL NUMBER OF BREACHES PER YEAR? Navigant identified 221 major data breaches in 2012 compared to 233 in the previous year, representing a 5% decrease between reporting periods. However, the total number of records breached increased by 32%, from 8,282,279 records breached in 2011 to 10,923,791 in The top ten breaches in 2012 were split between Government (3), Corporate (3), Education (2), Healthcare (1) and Other (1) entities. Government entities accounted for the three largest breaches representing over 2.4 million records. In 2011, the top ten breaches were divided between Corporate and Healthcare entities, with Corporate entities accounting for seven breaches, totalling 2.7 million records. One of the largest data breaches identified across both years involved a wellknown foreign policy think tank. The Texas-based firm had more than 860,000 addresses and 75,000 credit card accounts breached by hackers and dumped online to Pastebin and other sites. The information included names, addresses, credit card numbers, MD5 hashed passwords, user names and addresses. The breach of the company s servers was allegedly carried out by Anonymous on December 24, The hackers also defaced the firm s website and destroyed four servers in the process. The following day, hackers released a list of clients and warned they had obtained additional sensitive data during the data breach. The hacked credit card account numbers were not encrypted. The company immediately notified users of the breach and offered one year of identity theft protection services to anyone affected by the incident. Working with the FBI, the company initiated an investigation into the incident and shut down its website for several weeks. The redesigned website was launched early the following year. After the breach, a federal class-action lawsuit was filed alleging the company failed to employ basic security measures to protect user information. The case was recently settled for $1.5 million. 2. WHAT TYPES OF ENTITIES ARE EXPERIENCING BREACHES? Our report classifies the organizations that experienced a data breach into five main categories: Healthcare, Corporate, Education, Government and Other. 3 These designations provide an overview of the entities that experienced a physical or electronic records breach. Across both years, Healthcare entities had the largest percentage of breaches identified. In 2012, Healthcare entities accounted for 40% of all breaches, followed by Corporate (20%), Education (19%), Government (15%), and Other (6%) (See Figure 1). In 2011, Healthcare entities experienced 39% of the data breaches, followed by Corporate (27%), Education (16%), Government (13%), and Other (5%) (See Figure 2).
3 / 2012 Annual Review FIGURE 1: 2012 Breaches by Type of Entity Healthcare 40% Other 6% Corporate 20% While the percentage of data breaches occurring at Physician s Offices increased from 18% in 2011 to 30% in 2012, the percentage at Health Systems decreased from 16% to 11%. Dental Practices made up 10% of the entities that had a data breach in 2011 but only 5% in The 2011 average size of a data breach for Healthcare entities was 23,711 records but only 14,717 records in 2012, a 38% decline. The Healthcare entities with the largest year over year percentage increase in the average number of records per breach were Health Systems (373%) and Mental Health Treatment Facilities (57%). The Healthcare entities with the largest percentage decrease in the average number of records per breach were Clinics (507%) and Physicians Office (75%). Government 15% Education 19% The Corporate industries which experienced a data breach in 2012 and 2011 are shown below. FIGURE 2: 2011 Breaches by Type of Entity Other 5% Services (36%) Insurance & Finance (38%) Insurance & Finance (25%) Services (27%) Retail & Wholesale Trade (25%) Manufacturing (16%) Manufacturing (7%) Retail & Wholesale Trade (16%) Transportation, Utilities & Public Services (7%) Transportation, Utilities & Public Services (3%) Healthcare 39% Government 13% Education 16% Corporate 27% As part of Navigant s analysis, we further segmented both Healthcare and Corporate entities to get a better sense of the type of organizations affected by data breaches. The types of Healthcare entities which experienced a data breach in 2012 and 2011 are shown below. Services and Insurance & Finance made up over 60% of the Corporate entities experiencing a breach across both reporting periods. Insurance & Finance entities made up 38% of the incidents in 2011 but only 25% in The 2011 average size of a data breach for Corporate entities was 67,277 records in 2011 but declined to 60,017 records in 2012, an 11% decrease. The Corporate entities with the largest percentage increase, year over year, in the average number of records per breach were Transportation, Utilities & Public Services (191%), Services (14%) and Insurance & Finance (7%). The Corporate entities with the largest percentage decrease in the average number of records per breach were Retail & Wholesale Trade (64%) and Manufacturing (7%). The 2012 data shows that 73% of Corporate entities experiencing a data breach were private firms while 27% were publicly traded. The prior year shows 67% of Corporate entities were private while 33% were publicly traded Hospital (35%) Hospital (41%) Physicians Offices (30%) Physicians Offices (18%) Health System (11%) Health System (16%) Clinics (10%) Dental Practice (10%) Dental Practice (5%) Clinics (9%) Mental Health Treatment Facility (5%) Mental Health Treatment Facility (3%) Other (4%) Other (3%)
4 4 Information Security and Data Breach Report One of the largest healthcare entity breaches to occur in either year involved a medical center on the West Coast that potentially exposed the information of over 500,000 patients. A computer was stolen from the hospital containing patient information including names, dates of birth (DOB), last four digits of the patient s Social Security Number (SSN) and the medical record number. The computer was password protected but not encrypted. The information came from the hospital s master patient index file that was on the stolen desktop computer. The incident took place on March 11, 2011 but was not discovered for several days. Once the theft was discovered, the hospital launched an internal investigation and contacted the county sheriff s department. After a few weeks, the hospital began to send notification letters and set up a toll-free number to answer questions from those affected. According to news articles, the hospital took additional steps to increase its computer security after the incident. We also tracked the average number of days between discovery and disclosure by type of entity (See Figure 3). The time between discovery and disclosure for Corporate entities experiencing a breach increased 27% year over year (2011: 47 days vs. 2012: 61 days). Healthcare entities registered a 9% increase between discovery and disclosure, from 66 days in 2011 to 72 days in Government entities, on the other hand, had a decrease in the time between discovery and disclosure from 38 days in 2011 to 32 days in The number of days between discovery and disclosure for Education entities increased from 28 days in 2011 to 29 days in Other entities registered no change between discovery and disclosure with 32 days across both reporting periods. 3. WHAT IS THE AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE OF A DATA BREACH? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Discovery takes place when either electronic or physical records are confirmed to be lost or stolen, or data is otherwise identified as compromised. Disclosure can be made through notification to those affected by the data breach or to a regulatory agency or when news of the breach is disclosed through publications, websites or blogs. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements for different types of data. Some states allow for a company to conduct a reasonable investigation regarding the incident while other states have established specific timelines for notification. States such as Texas and Connecticut have recently passed legislation strengthening data breach notification rules. The Securities and Exchange Commission s (SEC) guidance on Cyber Security has also shown the increasing importance regulators place on the risk associated with information security and data breaches. The increasing regulatory oversight regarding the disclosure of a data breach has prompted Navigant to track this metric using public sources, news and government websites. The average number of days between discovery and disclosure for all breaches was 54 days in 2012 and 50 days in FIGURE 3: Average Number of Days Between Discovery and Disclosure by Type of Entity Corporate Education Government Healthcare 38 Other The significant increase in the time between discovery and disclosure for Corporate entities can be attributed to several breaches that were not reported for over 150 days. One specific example involved a large international financial institution with customers in both the United States and Canada. In October 2012, the company began notifying 267,000 customers of a data breach which took place in March 2012 when two unencrypted backup tapes shipped to one of its locations went missing. Upon discovering the breach, the company initiated an investigation to locate the missing tapes. According to news reports, the company stated the lag of over 180 days in reporting this event was necessary to complete a thorough investigation of the matter. The tapes contained the names, addresses, DOBs, driver s license numbers, SSNs, debit card numbers and bank account numbers. The company s notification to affected customers included one free year of credit monitoring as well as the option to transfer funds to a new bank account number Currently both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (DHHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health
5 / 2012 Annual Review (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident. 4 From public sources, our analysis shows the average number of days between discovery and disclosure for medical records was 73 days in 2011 compared to 75 days in 2012, representing a 3% increase from the previous year. 4. WHAT TYPES OF DATA ARE BEING COMPROMISED? The types of data being compromised include personally identifiable information (PII), such as DOBs, names or SSNs, protected health information (PHI), such as information related to medical conditions, the provision of healthcare, or the payment for the provision of healthcare, and financial information, such as bank accounts or credit card numbers. We identified several categories of data commonly at risk in data breaches including: Name, Contact Information, SSNs, DOBs, Medical, Credit Card, , Financial and Miscellaneous (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. The number of breaches involving some of the most sensitive data increased year over year: SSNs (2011: 48% vs. 2012: 52%), DOBs (2011: 33% vs. 2012: 37%) or medical information (2011: 35% vs. 2012: 42%). One of the largest breaches identified involving the release of personally identifiable information (PII) and other patient data took place at a state technology services department. The agency, where most of the state s data is stored, disclosed that the personal data of around 800,000 residents was stolen by hackers. The data breach occurred in early 2012 when a newly installed test server was improperly configured, allowing hackers to enter the system. According to state authorities, the data was being accessed from a server in Eastern Europe when the intrusion was detected. The server was immediately shut down. The personal data of roughly 280,000 individuals was hacked, including medical claims information and SSNs. This data was kept by the state in order to determine Medicaid eligibility. The hacked data of another 500,000 individuals included names, addresses, DOBs, medical diagnostic codes, billing codes and national provider identification numbers. The state offered one year of free credit monitoring to those whose SSNs were stolen. Following the incident, the state implemented new data security procedures including additional network monitoring and intrusion detection capabilities. Additionally, the state CTO resigned, and an independent audit of IT security systems was ordered. FIGURE 4: Breaches by Type of Information Names Contact Info SSNs DOBs Medical Info Credit Cards Financial Info s Misc. Info
6 6 Information Security and Data Breach Report 5. WHAT IS THE AVERAGE NUMBER OF RECORDS PER BREACH? FIGURE 6: 2012 Breaches by Type of Method Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 39% higher in 2012 than in 2011 (2011: 35,546 vs. 2012: 49,429). Unauthorized Access/Use 10% Unknown 1% Virus 4% Other entities saw the largest change from 18,475 records in 2011 to 72,948 records in 2012, a 295% increase year over year. The average number of records per breach increased 272% from 2011 to 2012 for Government entities (2011: 29,326 vs. 2012: 109,212). Healthcare entities experienced a 38% decrease in the average number of records per breach from 23,711 records in 2011 to 14,717 records in The average number of records per breach for Education entities was 21,422 in 2011 versus 57,640 in 2012, an increase of 169%. Corporate entities averaged 67,277 records in 2011 and 60,017 records in 2012, an 11% decrease between reporting periods. Theft 32% Public Access/ Distribution 19% Loss 9% Hacking 21% Improper Disposal 4% FIGURE 5: Average Records Per Breach by Type of Entity , had a similar break-out (See Figure 7). Theft was again the most common type of breach (34%) followed by Public Access/Distribution (21%), Hacking (19%), Loss (12%), Unauthorized Access/Use (6%), Virus (3%), Improper Disposal (2%) and Unknown (3%). 67,277 60,017 57,640 72,948 FIGURE 7: 2011 Breaches by Type of Method Unauthorized Access/Use 6% 21,422 29,326 23,711 14,717 18,475 Unknown 3% Virus 3% Corporate Education Government Healthcare Other Theft 34% As part of Navigant s analysis, we found that the large increase in the average size of a data breaches involving Education and Government entities in 2012 was largely influenced by several incidents. The top five incidents affecting Education entities involved 1.8 million records and were primarily concentrated in Q2 and Q The methods of breach were Hacking or Public Access/Distribution. The top five incidents affecting Government entities involved 2.8 million records and were largely concentrated in Q The methods of breach, for the most part, were either Hacking or Loss. Public Access/ Distribution 21% Loss 12% Hacking 19% Improper Disposal 2% 6. WHAT ARE THE LEADING CAUSES OF DATA BREACHES? The different causes of a data breach are summarized into seven major categories. These categories are Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 5 The most common methods used to breach data in 2012 are shown in Figure 6.
7 / 2012 Annual Review Looking at the data by method of breach and type of entity, we identified some interesting statistics. 50% of Hacking incidents that took place in 2011 involved Corporate entities. Across both reporting periods, 67% of breaches involving Theft or Loss took place at Healthcare entities. 54% in 2011 and 63% in 2012 of Public Access/Distribution breaches involved Education or Government entities. 40% of Unauthorized Access/Use incidents across both reporting periods involved Healthcare entities. A college in the Southeastern United States discovered that a data breach occurred between May 21, 2012 and September 24, 2012, which compromised records of 276,000 people. Affected individuals included 76,000 current or former students, 3,200 current or retired employees, and over 200,000 students eligible for the Bright Futures scholarship between 2005 and The coordinated hack breached the school s servers over several months. This led to the identity theft of over 50 people including the college president. The hackers took out loans through Payday services in Canada and repaid them from bank accounts of those affected. The hackers also applied for and used Home Depot credit cards. The compromised information for current and former students included names, addresses, SSNs and DOBs. The compromised data for employees included DOBs, SSNs as well as direct deposit routing and account numbers. An internal review by the college in October 2012 identified the breach. The college initiated an investigation with outside consultants and the local law enforcement cybercrimes division. Following the breach, the college set up a website to help affected individuals to file a complaint or understand resources available from the Federal Trade Commission. Navigant also tracked the format of breached records. We divided the types of records into three categories: physical, electronic and a combination of both. Electronic records may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In 2012, 82% of the records compromised were electronic, 14% were physical records, 1% were classified as a combination of both types, and 3% were unknown. In 2011, 77% of the records compromised were electronic, 19% were physical records, and 4% were unknown. 7. WHAT IS THE AVERAGE TOTAL COST OF A DATA BREACH? One of the most critical questions being asked relates to the total cost of a data breach for the entities involved. One of the foremost studies on this issue is published by the Ponemon Institute. 6 The most recent information released provides some statistics on the total costs of a data breach. These costs can include detection, discovery, notification, legal costs, ex-post costs, loss of customers, and/or brand damage but will vary with each specific breach. For purposes of this annual report, Navigant calculated the average total cost of a data breach by type of entity and type of breach. One of the largest hacking incidents involved a restaurant wholesaler with outlets across the country. The company had malware inserted into its credit and debit card processing system resulting in over 300,000 customers having their credit card information exposed. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $58.2 million. The hackers use of malware allowed them to temporarily collect credit card information as it was processed and then send it to a computer server in Russia. The stolen credit card data included the names on the credit cards, credit or debit card numbers, expiration dates and the three digit verification code. Once the breach was identified, the wholesaler enhanced the company s security measures. The company is also reimbursing card holders for any reasonable costs incurred due to this breach as well as providing 12 months of credit monitoring. The average total cost of a data breach in 2011 was $6,895,975. The average total cost in 2012 was $9,292,637, a 37% increase. Some notable results from the analysis of average total cost of a data breach by entity were (see Figure 8): In 2012, Corporate ($11,283,217); Education ($10,836,284); Government ($20,531,839) and Other ($13,714,238) entities were above the average total cost of $9,292,637. The average total cost of a Healthcare entity breach was 70% below the average. In 2011, Corporate ($13,051,658) entities were above the average total cost of $6,895,975 while Education, Government, Healthcare and Other entities were below the average total cost. Other entities had the largest increase from 2011 to The average total cost of a data breach increased from $3,584,102 to $13,714,238, a 283% increase. Corporate and Healthcare entities showed decreases in the average total cost of a data breach from year to year. Healthcare entities declined by 40% over reporting periods (2011: $4,599,898 vs. 2012: $2,766,870). Education and Government entities average total cost of a data breach increased 161% and 261% respectively from 2011 to Navigant also calculated the average total cost of a data breach by method of breach (See Figure 9). Loss (2011: $6,115,102 vs. 2012: $21,421,472) showed the most significant increase from year to year, a 250% increase. Virus saw the largest decrease over reporting periods, a 59% reduction (2011: $13,624,925 vs. 2012: $5,645,993). The other top categories included Hacking and Unauthorized Access/Use, which both showed increases from year to year. The methods of breach that cost the most across both years were Hacking, Loss and Virus. In 2012, Hacking ($21,526,895) was the most expensive type of breach, followed by Loss ($21,421,472) and Public Access/Distribution ($5,845,309). In 2011, Hacking ($14,785,401) was the most expensive type of breach, followed by Virus ($13,624,925) and Loss ($6,115,102).
8 8 Information Security and Data Breach Report FIGURE 8: Average Total Cost by Type of Entity $20,531,839 $13,051,658 $13,714,238 $11,283,217 $10,836,284 $5,689,190 $4,155,822 $4,599,898 $2,766,870 $3,584,102 Corporate Education Government Healthcare Other FIGURE 9: Average Total Cost by Type of Breach $21,526,895 $21,421, $14,785,401 $13,624,925 $3,129,075 $2,338,114 $6,115,102 $4,461,368 $5,845,309 $5,524,660 $3,627,675 $3,250,961 $3,386,319 $5,645,993 $995,349 $1,166,965 Hacking Improper Disposal Loss Public Access/ Theft Unauthorized Distribution Access/Use Unknown Virus
9 / 2012 Annual Review Spotlight on Notable Breaches Company/Organization: Trion Worlds Industry: Internet Record Type: Electronic Breach Method: Hacking Size of Breach: 3.3 Million Accounts Type of Data Breached: Names, Addresses, DOBs Trion Worlds, a massive online role playing game platform, suffered a hack that breached over 3 million player accounts. The company, headquartered in California, publishes several game platforms including Rift, Defiance and Warface. In December 2011, hackers gained access to the games account database. Breached customer information included user names, encrypted passwords, DOBs, addresses, billing addresses and the first four and last four digits of the customers credit cards. Once the breach was detected, Trion suggested that all users change their passwords and instructed mobile authenticator users to unplug and reconnect to the online gaming system. To compensate, the company provided all players with three extra days of gaming time. According to news reports, the company did not provide credit monitoring or other remediation efforts following the breach. Company/Organization: Global Payments Industry: Banking Record Type: Electronic Breach Method: Hacking Size of Breach: 1.5 Million Credit Cards Type of Data Breached: Credit Card Global Payments, an electronics transaction processing company, experienced a data breach in March According to news reports, the breach was limited to the company s North American payment processing servers. The breach was estimated to have exposed 1.5 million cards and was allegedly confined to Track 2 card data which includes the account number, expiration date and sometimes discretionary data. The company immediately notified federal law enforcement as well as Visa and Mastercard of the breach. In June 2012, the company acknowledged the breach was larger than initially suggested and some news reports said it could be as high as 7 million accounts. Following this, the company hired a qualified security assessor to conduct an independent review of its Payment Card Industry Data Security Standard (PCI-DSS) compliance. The company spent over $90 million in associated costs and expenses related to the incident. ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. 1 Fahmida Y. Rashid, Epsilon Data Breach to Cost Billions in Worst-Case Scenario, eweek, 3 May 2011; Mathew J. Schwartz, Sony Data Breach Cleanup To Cost $171 Million, Information Week, 23 May For the purposes of this study the Trion Worlds and Global Payments breaches are considered to be outliers and are reviewed in the Spotlight on Notable Breaches section of this report. Data reported in prior studies may change when information regarding breaches is identified or amended. 3 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be breached in incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. A Hack occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access/ Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study: United States, Ponemon Institute LLC, May The total average cost per compromised record was $194 in 2011 and $188 in For purposes of this study, we estimated the total cost of each data breach using these figures calculated by the Ponemon Institute.
10 10 Information Security and Data Breach Report CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser Daren Hutchison Brad Pinne Bill Hardin Andrew Obuchowski Cuyler Robinson Strategic Initiative Contacts Scott Paczosa Jonathan Drage Darin Bielby Research Lead Bill Schoeffler navigant.com The authors would like to thank Vanessa Nelson Meihaus for her invaluable assistance. Vanessa is a Research Coordinator specializing in practice specific and general business development research in the firm s Chicago office. Greg Osinoff, Esq Navigant Consulting, Inc All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses.