Information Security & Data Breach Report November 2012 Update

Transcription

1 Information Security & Data Breach Report November 2012 Update

2 2 Information Security and Data Breach Report The impact of data breaches continues to be discussed in boardrooms across America as well as Capitol Hill. In September, Senator John D. Rockefeller IV (D., W.Va.) sent a letter to all Fortune 500 CEOs asking them a series of questions about data protection and cybersecurity. Senator Rockefeller s actions demonstrate increased concern even though the US Securities and Exchange Commission (SEC) issued guidelines in October 2011 for companies to disclose the risk of cyber incidents within their financial statements. With companies brands at stake, executives are taking a more active approach to managing data breach risks and developing response plans to protect the organization in the event a breach occurs. We are pleased to release the November 2012 update of Navigant s Information Security and Data Breach Report. This report is designed to keep the legal community and corporate executives apprised of data breach activity, spotlight notable breaches, and identify trends and other major changes taking place in the information security arena. The goal of this publication is to answer the following principal questions: 1. What is the total number of breaches per quarter? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? Methodology Used For Identifying Data Breaches We have captured all major data breaches disclosed publicly during the second and third quarters of 2012 (April 1, 2012 September 30, 2012). We evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 1 The incidents identified in this report involve breaches in which physical and electronic records were hacked, lost, stolen, or improperly exposed or discarded. 1. What is the total number of breaches per quarter? Navigant identified 49 major data breaches in Q3 compared to 60 in the previous quarter, representing an 18% decrease between reporting periods. The total number of individual records breached in Q3 was 2,258,839 records, whereas 4,406,641 records were breached in Q2, a 49% decrease quarter to quarter. The top ten breaches in Q3 were split between Corporate, Government and Healthcare. Corporate entities had the top three largest breaches representing over 1.2 million records. DATA BREACH DASHBOARD Healthcare entities again accounted for the largest percentage of the data breaches identified in either quarter (Q3: 49% vs. Q2: 40%). 2 The number of days between discovery and disclosure for Education entities increased from 31 days in Q2 to 36 days in Q3. Services companies were the most commonly breached Corporate entities in both quarters (Q2: 45% vs. Q3: 40%). The average number of records per breach decreased 37% from quarter to quarter (Q2: 73,444 vs. Q3: 46,099). There was a 49% decrease in the total number of records breached from quarter to quarter (Q2: 4.41 million records vs. Q3: 2.26 million records). One of the largest data breaches identified in Q3 involved a well-known internet search engine. The California based firm had more than 453,000 accounts breached by hackers. The hackers stole login credentials and passwords using an SQL injection attack. The plain text login credentials and cracked passwords were posted on several hacking sites. The specific content was part of a self-publishing service that had registered users. A group of hackers calling themselves D33Ds Company penetrated the company network through a development server and extracted the account information from this source. The hackers injected database commands into user input fields to trick the servers into releasing the login credentials and passwords. It is unclear if any other personal information was hacked as part of this breach. In response, the company stated it has fixed the vulnerability and has reached out to notify affected users their access might have been compromised. Following the breach, a federal lawsuit was filed alleging the company failed to employ basic security measures to protect user information. 2. What types of entities are experiencing breaches? For purposes of this report, the types of organizations that experienced a data breach are divided into five main categories: Healthcare, Corporate, Education, Government and Other. 3 These designations provide an overview of the entities that experienced a physical or electronic records breach. Across both quarters, Healthcare entities had the largest percentage of breaches identified. In Q3, Healthcare entities accounted for 49% of all breaches identified, followed by Corporate (21%), Education (14%), Government (10%), and Other (6%) (See Figure 1). In Q2, Healthcare entities experienced 40% of the data breaches identified, followed by Education (22%), Government (20%), Corporate (15%) and Other (3%) (See Figure 2).

3 3 Q2 & Q FIGURE 1: Q Breaches by Type of Entity Healthcare 49% Corporate 21% An interesting item to note is that Manufacturing and Services had the largest average records per breach in Q3, whereas Retail & Wholesale Trade and Services had the largest average records per breach in Q2. Across both quarters, 79% of the Corporate entities were private firms while 21% were publically traded. Other 6% As part of Navigant s analysis, we further parsed the Corporate entities to get a better sense of the type of corporations experiencing a data breach. The types of Corporate entities most frequently experiencing a data breach in Q3 and Q2 are shown below. Q Q Services (40%) Services (45%) Retail & Wholesale Trade (40%) Insurance & Finance (33%) Government 10% Manufacturing (10%) Retail & Wholesale Trade (11%) Education 14% FIGURE 2: Q Breaches by Type of Entity Healthcare 40% Other 3% Government 20% Corporate 15% Education 22% Insurance & Finance (10%) Transportation, Utilities & Public Services (11%) A notable corporate data breach occurred at a social networking site in early July The question and answer site had its security breached, resulting in 420,000 passwords being accessed. The passwords were posted to a security forum, but user names or identifying information were not revealed. Once alerted to the breach, the company found a live development server was hacked and used to take information from a production database. Following the breach, the company upgraded its password security and asked its 28 million registered users to reset their passwords due to the data breach. 3. What is the average number of days between discovery and disclosure of a data breach? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Discovery takes place when either electronic or physical records are confirmed to be lost or stolen, or data is otherwise identified as compromised. Disclosure can be made through notification to those affected by the data breach and to a regulatory agency, and in certain situations, news of the breach can be disclosed by the media through publications, websites or blogs. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements for different types of data. Generally, a company is required to conduct a reasonable investigation regarding the incident. Many states have established specific timelines for notification. States such as Texas and Connecticut have recently passed legislation strengthening data breach notification rules. In Texas, businesses must provide notice to both residents and non-residents when a data breach occurs except where the non-resident lives in a state that does not require data breach notification. Those states include Alabama, Kentucky, New Mexico and South Dakota. In the case of Connecticut, the state added a requirement that the Attorney General must also be notified at the same time as residents when a data breach has occurred. The increasing regulatory oversight regarding the disclosure of a data breach has prompted Navigant to track this metric using public sources, news and government websites. The average number of days between discovery and disclosure for all breaches was 57 days in Q3 compared to 60 days in Q2. We also track the average number of days between discovery and disclosure by type of entity (See Figure 3). The time between discovery and disclosure for Corporate entities experiencing a breach decreased 27% from quarter to quarter (Q2: 56 days vs. Q3: 41 days).

4 4 Information Security and Data Breach Report FIGURE 3: Average Number of Days Between Discovery and Disclosure by Type of Entity Q Q Corporate Education Government Other Healthcare Healthcare entities registered a 15% decrease between discovery and disclosure, from 84 days in Q2 to 71 days in Q3. Government entities, on the other hand, had an increase in the time between discovery and disclosure from 45 days in Q2 to 53 days in Q3. The number of days between discovery and disclosure for Education entities increased from 31 days in Q2 to 36 days in Q3. The significant increase in the time between discovery and disclosure for Government entities can be attributed to one specific breach that took place in Indiana. A support services company which specializes in arranging services for health care providers in the areas of child welfare, juvenile justice and special education systems experienced a data breach around May 10, After the company discovered that its website and computer network were hacked, they secured the network and conducted an investigation using a forensic IT expert. The expert identified that a database containing the health records of 1,945 individuals had been copied and downloaded. These records contained information including Social Security numbers (SSNs), demographic information and health information for clients, family members and providers. The company began to notify those affected in early August Based on a review of public documents, there is no indication that credit monitoring was offered to those affected by this incident. Currently, both federal and state authorities require that entities holding protected health information must disclose that a data breach has occurred. The Department of Health & Human Services (DHHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health (HITECH) Act, both DHHS and FTC require HIPAA-covered entities to provide notification following a breach of unsecured protected health information no later than 60 days after the incident. 4 From public sources, our analysis shows the average number of days between discovery and disclosure for medical records was 88 days in Q2 compared to 78 days in Q3, representing an 11% decrease from the previous quarter. 4. What types of data are being compromised? The types of data being compromised range from personally identifiable information (PII), such as dates of birth (DOBs), names or SSNs, to financial information, such as bank accounts or credit card numbers. We identified several categories of data commonly at risk in data breaches (See Figure 4) including: Name, Contact Information, SSN, DOB, Medical, Credit Card, , Financial and Miscellaneous. Many of the incidents identified in this report have multiple types of data that were breached. The number of breaches involving some of the most sensitive data, including SSNs, DOBs or medical information varied across both quarters. Breaches involving SSNs FIGURE 4: BREACHES BY TYPE OF INFORMATION Name Credit Card Contact Financial SSN DOB Misc. Medical q q3 2012

5 5 Q2 & Q A breach that involved PII and other patient data involved one of the largest home health services providers in the country. The breach occurred in June 2012 when an employee s laptop was stolen from a locked vehicle in Phoenix, Arizona. The laptop contained billing information for patients across several western states, including California, Arizona and Nevada. The company stated 11,000 patients were affected. The file contained information including SSNs, names, DOBs and other personal health information. In response to this breach, the company notified both federal and state agencies and undertook an internal investigation. The company also provided credit monitoring services for one year to those affected. After the incident, the company strengthened its patient security program by encrypting employee laptops and implementing other internal controls. FIGURE 6: Q Breaches by Type of Method Theft 43% Hacking 27% Loss 10% (Q2: 57% vs. Q3: 55%) and DOBs (Q2: 45% vs. Q3: 35%) decreased from quarter to quarter. 5. What is the average number of records per breach? We have calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 37% lower in Q than in Q (Q2: 73,444 vs. Q3: 46,099). Corporate entities saw the largest change from 45,776 records in Q2 to 133,689 records in Q3, a 192% increase from quarter to quarter. The average number of records per breach decreased 59% from Q2 to Q3 for Government entities (Q2: 190,176 vs. Q3: 78,419). Healthcare entities experienced a decrease in the average number of records per breach from 20,265 records in Q2 to 13,822 records in Q3. The average number of records per breach for Education entities was 91,092 in Q2 versus 13,286 in Q3, a decrease of 85%. Other entities averaged 21,000 records in Q2 and 35,043 records in Q3, a 67% increase quarter to quarter. FIGURE 5: AVERAGE RECORDS PER BREACH BY TYPE OF ENTITY Virus 2% Unknown 2% 6. What are the leading causes of data breaches? The different causes of a data breach are summarized into seven major categories. These categories are Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 5 In Q3 (See Figure 6), the most common methods used to breach data were: Theft (43%) Hacking (27%) Public Access/Distribution (12%) Loss (10%) Unauthorized Access/Use (4%) Virus (2%) Unknown (2%) Public Access/ Distribution 12% Unauthorized Access/Use 4% Q2 (See Figure 7) had a similar break-out. Theft was again the most common type of breach (32%) followed by Public Access/Distribution (20%), Hacking (18%), Unauthorized Access/Use (15%), Loss (9%), Improper Disposal (3%) and Virus (3%). 190,176 Q Q Looking at the data by method of breach and type of entity, we identified some interesting statistics. 45, ,689 91,092 13,286 78,419 35,043 21,000 20,265 13,822 Corporate Education Government Other Healthcare 35% of all breaches in Q2 involved Public Access/Distribution and Unauthorized Access/Use while only 16% involved these two methods in Q3. When looking at the data across both quarters, 66% of data breaches involving Public Access/Distribution took place at Education or Government entities. 73% of data breaches involving Theft across both quarters took place at Healthcare entities. The data of Healthcare entities was most often breached by Hacking or Loss.

6 6 Information Security and Data Breach Report FIGURE 7: Q Breaches by Type of Method Virus 3% Theft 32% Public Access/ Distribution 20% One of the largest radiation oncology physician practices experienced a data breach when an employee s bag was stolen. The employee s bag contained back-up media from the company s servers that contained information on 55,000 patients, including names, addresses, DOBs, SSNs, medical record numbers, insurance and clinical information. The theft was reported to authorities and the company took steps to investigate and recover the information. The company also informed patients and employees of the breach. In response to this incident, the physician practice began to encrypt mobile storage devices, upgraded its data storage equipment and revised policies and procedures regarding data production. Based on a review of news articles, there is no indication that credit monitoring was offered to those affected by this incident. Navigant also tracked the format of breached records. We divided the types of records into three categories: physical, electronic and a combination of both. Electronic records may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In Q3, 84% of the records compromised were electronic, while 12% were physical records, 2% were classified as a combination of both types and 2% were unknown. In Q2, 88% of the records compromised were electronic while 9% were physical records. 3% of the records breached in Q2 were classified as unknown. 7. What is the average total cost of a data breach? Hacking 18% Improper Disposal 3% Loss 9% Unauthorized Access/Use 15% One of the most critical questions being asked relates to the total cost of a data breach for the entities involved. One of the foremost studies on this issue is published by the Ponemon Institute. 6 The most recent information released provides some statistics on the total costs of a data breach. These costs could include detection, discovery, notification, potential legal costs, expost costs, loss of customers, and/or brand damage but will vary with each A city in the Northeastern United States discovered a data breach in late May 2012 following the theft of a city employee s unencrypted laptop from a local library. The laptop was used to input data pertaining to a Rent Rebate Program instituted by the city to help elderly and low income families. The laptop contained personal information on 21,000 participants in the program, including names, addresses, SSNs and DOBs. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $4.1 million. The city reported the theft to local police and launched an investigation. Following the investigation, the city notified those affected by the breach and offered call center support and credit monitoring services for two years. The city is also reviewing its data security policies and procedures in response to the incident. specific breach. For purposes of this quarterly report, Navigant calculated the average total cost of a data breach by type of entity and type of breach. The average total cost of a data breach in Q2 was $14,248,139. The average total cost in Q3 was $8,943,158, a 37% decrease. Some notable results from the analysis of total cost of a data breach by entity were (see Figure 8): In Q3, Corporate ($25,935,666) and Government ($15,213,286) entities were above the average total cost of $8,943,158. Education, Healthcare, and Other entities were below the average total cost of a data breach by 71%, 70%, and 24% respectively. In Q2, Corporate ($8,880,544), Healthcare ($3,931,329) and Other ($4,074,000) entities were below the average total cost of $14,248,139. Education entities were just above the average total cost, while Government entities were more than double the overall average. The average total cost of a data breach varied widely by type of entity between quarters. Corporate entities had the largest increase from Q2 to Q3. The average total cost of a data breach increased from $8,880,544 to $25,935,666 million, a 192% increase. Education, Healthcare and Government entities showed decreases in the average total cost of a data breach from quarter to quarter. Education entities decreased from $17,671,773 to $2,577,429. Healthcare entities decreased from $3,931,329 to $2,681,425. Government entities also showed a decrease in the average total cost of a data breach by 59% from quarter to quarter (Q2: $36,894,209 vs. Q3: $15,213,286). Other entities average total cost of a data breach increased 67% from quarter to quarter (Q2: $4,074,000 vs. Q3: $6,798,277). Navigant also calculated the average total cost of a data breach by method of breach (See Figure 9). Unauthorized Access/Use (Q2: $3,948,848 vs. Q3: $8,327,062) showed the most significant increase from quarter to quarter. Loss saw the largest decrease from quarter to quarter, a 99% reduction (Q2: $40,607,886 vs. Q3: $532,646). The other top categories included Virus and Theft, which both showed decreases from quarter to quarter. The methods of breach that cost the most when combining quarters were Hacking, Loss and Public Access/Distribution. In Q3, Hacking ($23,658,135) was the most ex-

7 7 Q2 & Q FIGURE 8: AVERAGE TOTAL COST BY TYPE OF ENTITY FIGURE 9: Average Total Cost by Type of Breach $40,607,886 Q Q $32,769,281 $23,568,135 $582,000 $532,646 $3,948,848 $8,327,062 $11,138,833 $8,005,572 $220,578 $9,157,964 $1,513,200 $5,405,330 $2,987,831 Hacking Improper Disposal Loss Unauthorized Public Access/ Access/Use Distribution Unknown Virus Theft pensive type of breach, followed by Unauthorized Access/Use ($8,327,062) and Public Access/Distribution ($8,005,572). In Q2, Loss ($40,607,886) was the most expensive type of breach, followed by Hacking ($32,769,281) and Public Access/Distribution ($11,138,833).

8 8 Information Security and Data Breach Report SPOTLIGHT ON NOTABLE INFORMATION SECURITY INCIDENTS Company/Organization: BlueToad Industry: Internet Record Type: Electronic Breach Method: Hacking Type of Media: N.A. Size of Breach: 12 Million Records Type of Data Breached: Names, Addresses BlueToad, an application developer for Apple, suffered a hack that potentially breached millions of records. The company works with publishers such as Variety and the Christian Science Monitor to translate content onto phones or digital devices. In early September 2012, the company was hacked by Antisec, who claimed they had obtained 12 million UDID or unique device identifiers. These device identifiers, a 40 character string, are unique to the phones or tablets manufactured by Apple. Like many app developers, BlueToad stores the UDIDs so it can track app usage and develop statistics. The hackers released one million identifiers and claimed that some records had additional identifying information such as names, cell phone numbers and addresses. Once the breach was discovered, the company immediately alerted the Federal Bureau of Investigation (FBI) and Apple. The company has since fixed the vulnerability and engaged an independent security assurance firm to assist with its investigation and remediation of its security. 1 For purposes of this study eharmony, LinkedIn, the Texas Attorney General SSN Breach and BlueToad were considered outliers in the last two quarters and thus not reported as part of the quarterly data. The BlueToad breach is reviewed as part of this study under the Information Security Incidents section of this report. 2 Quarterly data reported in prior studies may change when information regarding breaches is identified or amended. 3 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be breached in incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. A Hack occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access/Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study United States, Ponemon Institute LLC, March The total average cost per compromised record was $194. For purposes of this study, we estimated the total cost of each data breach using this figure calculated by the Ponemon Institute.

9 9 Q2 & Q ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser svisser@navigant.com Daren Hutchison dhutchison@navigant.com Brad Pinne bpinne@navigant.com Strategic Initiative Contacts Scott Paczosa scott.paczosa@navigant.com Jonathan Drage jonathan.drage@navigant.com Darin Bielby dbielby@navigant.com Research Lead Bill Schoeffler bschoeffler@navigant.com The authors would like to thank Vanessa Nelson Meihaus for her invaluable assistance. Vanessa is a Research Coordinator specializing in practice specific and general business development research in the firm s Chicago office. Bill Hardin bill.hardin@navigant.com Andrew Obuchowski andy.obuchowski@navigant.com 2012 Navigant Consulting, Inc. All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses.