Information Security & Data Breach Report March 2013 Update

Transcription

1 Information Security & Data Breach Report March 2013 Update

2 2 Information Security and Data Breach Report Data breaches and large scale cyber attacks continue to make headlines for entities of all types, including corporations, government agencies and healthcare entities. Newspaper headlines such as Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches and 3.6 Million Social Security Numbers Hacked in S.C. have become the new normal. 1 Because sensitive and/or personal information is often involved, the post-breach responsibilities of companies and other entities are becoming more strictly regulated. In response, companies are putting together tactical plans to handle potential data breaches or cyber attacks along with other risk management plans. In this new environment, companies must protect themselves both externally and internally from these types of issues. Navigant is pleased to release the March 2013 update of its Information Security and Data Breach Report. This report is designed to keep the legal community apprised of data breach activity, spotlight notable breaches, and identify trends with the goal of answering the following principal questions: 1. What is the total number of breaches per quarter? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? METHODOLOGY USED FOR IDENTIFYING DATA BREACHES Navigant has captured all major data breaches disclosed publicly during the fourth quarter of 2012 (October 1, 2012 December 31, 2012). As part of this report we are now including the prior four quarters (FQA Four Quarter Average ) of data for comparison purposes against the most recent quarter highlighted. 2 As part of the methodology, Navigant evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 3 The incidents identified in this report involve breaches in which physical and electronic records were hacked, lost, stolen, or improperly exposed or discarded. Data Breach Dashboard The number of days between discovery and disclosure of Corporate breaches increased by 33 days from the prior FQA of 54 days. Insurance & Finance was one of the most commonly breached industry groups across reporting periods (Q4: 56% vs. FQA: 30%). The average number of records exposed was 14% below the four quarter average (Q4: 33,590 vs. FQA: 47,519). There was a 45% decrease in the number of records breached between reporting periods (Q4: 1.55 million records vs. FQA: 2.83 million records). 1. WHAT IS THE TOTAL NUMBER OF BREACHES PER QUARTER? We identified 46 major data breaches in Q4 compared to an average of 59 in the previous four quarters, which exposed 1.5 million records. This is 1.2 million records lower than the prior FQA of 2.8 million. The top ten breaches in Q4 were split between Corporate, Education and Healthcare entities. Of the 1.5 million records exposed in Q4, five breaches represented over 1 million records, or 67% of the total. Looking at the prior four quarters, three out of the top five breaches involved Government entities. The top ten breaches for the same timeframe were split between Education, Corporate and Government entities. One of the largest healthcare data breaches identified in Q4 involved a small Midwestern hospital. The data breach took place when an employee s laptop was stolen from their home on November 27, The password protected laptop was not recovered, and the hospital could not determine whose information may have been compromised. Instead, notification letters were sent to 29,000 patients who had received care at the hospital since an electronic medical records system was established in The information stored on the laptop may have included patient names, addresses, Social Security numbers (SSNs), and medical information. The hospital established a hotline to provide more information to those affected by the breach as well as one year of identity theft protection membership. Following this incident, the hospital implemented additional safeguards around patient health information.

3 3 2. WHAT TYPES OF ENTITIES ARE EXPERIENCING BREACHES? FIGURE 2: Four Quarter Average Breaches by Type of Entity Our report classifies the organizations that experienced a data breach into five categories: Healthcare, Corporate, Education, Government and Other. 4 These designations provide an overview of the entities that experienced a physical or electronic records breach. Healthcare 39% Corporate 23% Across Q4 and the FQA, Healthcare entities had the largest percentage of breaches identified. In Q4, Healthcare entities accounted for 41% of all breaches identified, followed by Education (24%), Corporate (20%), Government (13%), and Other (2%) (See Figure 1). For the FQA, Healthcare entities experienced 39% of the data breaches identified, followed by Corporate (23%), Education (17%), Government (14%), and Other (7%) (See Figure 2). As part of Navigant s analysis, we further segmented both Healthcare and Corporate entities to get a better sense of the types of organizations affected by data breaches. The types of Healthcare entities which experienced data breaches in Q4 and the prior four quarters are shown below. Healthcare Entity Type FQA Hospital 53% 30% Physicians Offices 26% 33% FIGURE 1: Breaches by Type of Entity Q4 Trend from FQA Dental Practice 5% 5% Home Health Services 5% 1% Mental Health Treatment Facility 5% 4% Rehabilitation Facility 5% 0% Clinic 0% 13% Health System 0% 13% Surgical Center 0% 1% Other 7% Government 14% Education 17% Hospital and Physician Offices make up the vast majority of all Healthcare data breaches; 80% in Q4 and an average of 63% in the prior four quarters. The single Mental Health Facilities breach in Q4 was larger than all four breaches reported in the prior four quarters. The average size of a data breach for Physician Offices was 4,603 records in Q4 while the FQA was almost double that amount. No major health systems were breached in Q4, but the average number of records affected by health system breaches in the prior four quarters was 47,000. Corporate Entity Type FQA Insurance & Finance 56% 30% Services 22% 37% Manufacturing 11% 7% Transportation, Utilities, & Public Services 11% 4% Retail & Wholesale Trade 0% 22% Q4 Trend from FQA Other 2% Healthcare 41% Government 13% Corporate 20% Education 24% Services and Insurance & Finance made up over 68% of the Corporate breaches by industry category across both reporting periods. An interesting item to note is that Manufacturing entities had the smallest average records per breach in Q4, whereas Services had the largest average records per breach. The prior four quarters saw Manufacturing entities with the largest average records per breach while Insurance & Finance had the smallest. The Q4 data shows that 67% of Corporate entities were private firms while 33% were publicly traded. The prior four quarters showed a similar trend with 74% private and 26% publicly traded entities.

4 4 Information Security and Data Breach Report A notable corporate data breach occurred at a large software company in early November According to news sources, a hacker from Egypt was able to breach the company s user forum website. This hack potentially compromised over 150,000 records of company employees, government agencies and other major internet providers. The hacker was able to upload a php shell to the company website and look for database configuration files to steal forum credentials before dumping the information online. The compromised information contained addresses, names, organizations, titles, user names and encrypted passwords. Following this incident, the company took the forum offline and reset all users passwords. 3. WHAT IS THE AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE OF A DATA BREACH? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Discovery takes place when either electronic or physical records are confirmed to be lost or stolen, or data is otherwise identified as compromised. Disclosure can be made through notification to those affected by the data breach or to a regulatory agency, or news of the breach can be disclosed by the media through publications, websites or blogs. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements for different types of data. Some states allow for a company to conduct a reasonable investigation of the incident before notification while other states have established specific timelines for notification. States such as Texas and Connecticut have recently passed legislation strengthening their data breach notification rules. States without specific data breach notification laws include Alabama, Kentucky, New Mexico and South Dakota. The increasing regulatory oversight regarding the disclosure of a data breach has prompted Navigant to track the average number of days between discovery and disclosure using public sources, news and government websites. The average number of days between discovery and disclosure for all breaches was 51 days in Q4 compared to 56 days for the prior four quarters. We also track the average number of days between discovery and disclosure by type of entity (See Figure 3). The time between discovery and disclosure for Corporate entities experiencing a breach in Q4 increased 61% over the four quarter average (FQA: 54 days vs. Q4: 87 days). Healthcare entities registered a 22% decrease between discovery and disclosure, from 81 days for the FQA to 63 days in Q4. The number of days between discovery and disclosure for Education entities remained unchanged at 26 days across Q4 and the FQA. Government entities also decreased the time between discovery and disclosure from the FQA of 34 days to 17 days in Q4. Other entities registered 24 days for the FQA and 43 days in Q4, a 79% increase. The significant increase in the time between discovery and disclosure for Corporate entities can be attributed to several breaches that were disclosed over 120 days after the discovery of an incident. One specific example involved a large international financial institution with customers in both the United States and Canada. In October 2012, this bank began notifying 267,000 customers of a data breach. The breach took place in March 2012 when records on two unencrypted backup tapes that were shipped to one of its locations went missing. Upon discovering this, the company initiated an investigation to locate the missing tapes. According to news reports, the bank stated the lag in reporting this event was due to a thorough investigation of the matter before disclosure. The tapes contained customers names, addresses, dates of birth (DOBs), driver s license numbers, SSNs, debit card numbers and bank account numbers. The company s notification to affected customers offered one free year of credit monitoring as well as the option to transfer funds to a new bank account number. Currently, both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (HHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident. 5 From public sources, our analysis shows the average number of days between discovery and disclosure for breaches of medical records was 84 days for the prior four quarters compared to 66 days in Q4, representing a 21% decrease. FIGURE 3: Average Number of Days Between Discovery and Disclosure by Type of Entity Four Quarter Average Corporate Education Government Healthcare Other 43

5 5 FIGURE 4: Breaches by Type of Information Names Contact Info SSNs DOBs Medical Info Credit Cards Financial Info s Misc. Info Four Quarter Average 4. WHAT TYPES OF DATA ARE BEING COMPROMISED? The types of data being compromised include personally identifiable information (PII), such as DOBs, name or SSNs, protected health information (PHI), such as information related to medical conditions, the provision of healthcare, or payment for the provision of healthcare, and financial information, such as bank accounts or credit card numbers. We identified several categories of data commonly at risk in data breaches including: Name, Contact Information, SSNs, DOBs, Medical, Credit Card, , Financial and Miscellaneous (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. In Q4, the number of breaches involving some of the most sensitive data, including SSNs (Q4: 57% vs. FQA: 47%) and DOBs (Q4: 39% vs. FQA: 36%) were above the average for the prior four quarters. Healthcare and Education entities account for almost 60% of the total SSN breaches identified in Q4. Breaches of medical information were also above the FQA (Q4: 46% vs. FQA: 41%). A breach that involved over 14,000 patient records containing PII and other data took place at a hospital specializing in women s and infant s health. The hospital located in the Northeastern United States discovered unencrypted backup tapes containing ultrasound images from two of its facilities were missing. Following the discovery of the breach in September 2012, the hospital began an investigation and determined that the tapes contained ultrasound images from two ambulatory facilities; one for and the other for The tapes also contained patient names, DOBs, date of exam, physician name, patient ultrasound images and in some cases SSNs. In response to the breach, the hospital began to notify patients less than a month after the incident was discovered. The hospital also set up a dedicated call center for patients to contact with any questions. According to news reports, the facility also enhanced its policies and procedures concerning backup tape receipt and storage practices. 5. WHAT IS THE AVERAGE NUMBER OF RECORDS PER BREACH? Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 14% lower in than the previous four quarters (FQA: 47,519 vs. Q4: 33,590). Government entities saw the largest change from 108,946 records in the previous four quarters to 10,822 records in Q4, a 90% decrease between reporting periods. The average number of records per breach increased 43% in Q4 from the prior four quarters for Other entities (FQA: 55,839 vs. Q4: 80,000). Corporate entities experienced a slight decrease in the average number of records per breach from 65,544 records in the prior four quarters to 62,892 records in Q4. The average number of records per breach for Education entities was 51,040 during the prior four quarters versus 52,680 in Q4, an increase of 3%. Healthcare entities averaged 12,647 records per breach during the prior four quarters compared to 13,406 records in Q4, a 6% increase between reporting periods. FIGURE 5: Average Records Per Breach by Type of Entity 65,544 62,892 51,040 52,680 Four Quarter Average 108,946 10,822 12,647 13,406 55,839 80,000 Corporate Education Government Healthcare Other

6 6 Information Security and Data Breach Report 6. WHAT ARE THE LEADING CAUSES OF DATA BREACHES? FIGURE 7: Four Quarter Average Breaches by Type of Method The different causes of a data breach are summarized into seven major categories. These categories are Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 6 The most common methods used to breach data in Q4 are shown in Figure 6. Theft 35% Hacking 22% FIGURE 6: Breaches by Type of Method Virus 2% Theft 26% Hacking 18% Unknown 1% Improper Disposal 3% Improper Disposal 7% Public Access/ Distribution 21% Loss 8% Unauthorized Access/Use 8% Virus 4% Public Access/ Distribution 17% Unauthorized Access/Use 15% Loss 13% The FQA had a similar break-out (See Figure 7). In Q4, Theft, Hacking, and Public Access/Distribution were trending down compared to the FQA; however, all other vectors (Virus, Loss, Unauthorized Access) were trending up as compared to the FQA. Looking at the data by method of breach and type of entity, we identified some interesting statistics. Across the reporting periods, 68% of data breaches involving Hacking took place at Education or Corporate entities. 50% of all breaches involving Theft in Q4 took place at Healthcare entities. 80% of data breaches involving Unauthorized Access/Use across reporting periods took place at Healthcare and Corporate entities. The data of Healthcare entities was most often breached by Theft and Loss. A regional hospital in Tennessee experienced a data breach when a laptop containing patient information was stolen from an employee s home on August 25, Once the theft was discovered, the hospital started an investigation to determine the extent of the data breach and also contacted local law enforcement. The laptop contained registration records for 27,000 patients, which included names, DOBs, addresses, physician names, billing information and in some cases SSNs. Based on a review of news articles, there is no indication that credit monitoring was offered to those affected by this incident. Instead, the hospital has set up a toll free number and is recommending patients seek services on their own. Navigant also tracked the format of breached records. We divided the types of records into three categories: physical, electronic and a combination of both. Electronic records may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In Q4, 78% of the records compromised were electronic, while 15% were physical records and 7% were unknown. Across the FQA, 80% of compromised records were electronic while 17% were physical records. 1% were classified as a combination of both electronic and physical records, while 2% were in an unknown format. 7. WHAT IS THE AVERAGE TOTAL COST OF A DATA BREACH? One of the most critical questions being asked relates to the total cost of a data breach for the entities involved. One of the foremost studies on this issue is published by the Ponemon Institute. 7 The most recent information released provides some statistics on the total costs of a data breach. These costs could include detection, discovery, notification, potential legal costs, expost costs, loss of customers, and/or brand damage but will vary with each specific breach. For purposes of this quarterly report, Navigant used the Ponemon cost per record to estimate the average total cost of a data breach by type of entity and type of breach.

7 7 A college in the Southeastern United States discovered a data breach occurred between May 21, 2012 and September 24, 2012 compromising the records of 276,000 people including current and former students. Individuals affected include 76,000 current or former students; 3,200 current or retired employees and over 200,000 students who were eligible for the Bright Futures Scholarships between 2005 and The coordinated hack over several months breached the school s servers. This led to the identity theft of over 50 people, including the college president. The hackers took out loans through Payday services in Canada and repaid them from bank accounts of those affected. The hackers also applied for and used Home Depot credit cards. The compromised information for current and former students included names, addresses, SSNs and DOBs. The compromised data for employees included DOBs and SSNs as well as direct deposit routing and account numbers. An internal review by the college in October identified the breach. The college initiated an investigation with outside consultants and the local law enforcement cybercrimes division. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $52 million. Following the breach, the college has set up a website to help those affected to file a complaint or understand the resources available from the Federal Trade Commission. The average total cost of a data breach in Q4 was $6,516,540. The average total cost in the FQA was $9,218,659, a 29% decrease. Some notable results from the analysis of average total cost of a data breach by entity were (see Figure 8): In Q4, Corporate ($12,201,091); Education ($10,219,867) and Other ($15,520,000) entities were above the average total cost of $6,516,540. Government and Healthcare entities were below the average total cost of a data breach by 68% and 60% respectively. In the prior four quarters, Healthcare ($2,453,495) entities were below the average total cost of $9,218,659. Corporate, Education and Other entities were above the average total cost. Government entities were more than double the overall average. The average total cost of a data breach varied widely by type of entity between quarters. Government entities had the largest decrease between reporting periods. The average total cost of a data breach for the previous four quarters declined from $21,135,595 to $2,099,500 in Q4, a 90% change. Education, Healthcare and Other entities showed increases in the average total cost of a data breach between reporting periods. Education entities increased from $9,901,784 to $10,219,867. Healthcare entities increased from $2,453,495 to $2,600,815. Other entities showed the largest increase in the average total cost of a data breach by 43% between reporting periods (FQA: $10,832,778 vs. Q4: $15,520,000). The average total cost of a data breach for Corporate entities decreased slightly (FQA: $12,715,558 vs. Q4: $12,201,091). FIGURE 8: Average Total Cost by Type of Entity Four Quarter Average $21,135,595 $15,520,000 $12,715,558 $12,201,091 $9,901,784 $10,219,867 $10,832,778 $2,099,500 $2,453,495 $2,600,815 Corporate Education Government Healthcare Other

8 8 Information Security and Data Breach Report Navigant also calculated the average total cost of a data breach by method of breach (See Figure 9). Improper Disposal (FQA: $1,868,002 vs. Q4: $6,085,133) showed the most significant increase from quarter to quarter. The categories which also showed increases between reporting periods were Public Access/Distribution and Theft. Virus saw the largest percentage decrease from the prior four quarters to Q4, a 94% reduction (FQA: $7,626,172 vs. Q4: $426,218). The other categories included Hacking and Loss, which both showed large decreases. The methods of breach that cost the most across both reporting periods were Hacking, Loss and Public Access/Distribution. In Q4, Hacking ($11,723,760) was the most expensive type of breach, followed by Loss ($9,615,093) and Public Access/Distribution ($6,927,764). For the FQA, Hacking ($23,831,352) was the most expensive type of breach, followed by Loss ($20,486,066) and Virus ($7,626,172). FIGURE 9: Average Total Cost by Type of Breach Four Quarter Average $23,831,352 $20,486,066 $11,723,760 $9,615,093 $1,868,002 $6,085,133 $3,353,150 $2,254,965 $4,622,640 $6,927,764 $3,494,393 $7,626,172 $426,218 $2,691,427 $4,672,959 Hacking Improper Disposal Loss Unauthorized Access/Use Public Access/ Distribution Unknown Virus Theft Spotlight on Notable Breaches Company/Organization: South Carolina Department of Revenue Industry: Government Record Type: Electronic Method: Hacking Size of Breach: 3.8 Million SSNs; 387,000 Credit and Debit Card Numbers Type of Data Compromised: SSNs, Credit Card Numbers, Bank Account Numbers The hacking of the South Carolina Department of Revenue s servers is the largest data breach ever identified involving a state government. The hackers sent phishing s to department employees beginning in August At least one employee clicked on the link embedded in the which executed malware. The malware was able to gain access to 44 separate systems and database files throughout September and October. The United States Secret Service notified the Department of Revenue about the massive breach on October 10, An ensuing investigation by the state identified SSNs of 3.8 million taxpayers were affected along with 387,000 credit and debit card numbers. According to news reports, the Department of Revenue set up a call center and provided one year of credit monitoring and a $1 million identity theft insurance policy to all individual victims affected by this incident. The state agency set up a credit alert service to businesses affected as well. Company/Organization: Nationwide Insurance Industry: Insurance Record Type: Electronic Method: Hacking Size of Breach: 1.1 Million Records Type of Data Compromised: Names, SSNs, DOBs, Driver s License Numbers, Marital Status, Gender, and Employment Information On October 3, 2012, a computer network used by Nationwide and Allied Insurance was hacked. The company discovered and contained the attack on the same day and notified victims the following month. Following the identification of the breach, the company initiated an investigation and determined hackers had likely stolen personal information. The information contained on the company network is used to generate quotes for their services. The hacked information potentially includes names, DOBs, SSNs and driver s license information. While Nationwide has not disclosed the total number of records breached, news reports and notifications to state Attorneys General bring the estimate to 1.1 million. Individuals whose information was compromised have been given one year of credit monitoring and up to $1 million of identity theft fraud expense coverage.

9 9 1 Matthew J. Schwartz, Team Ghostshell Hackers Claims NASA, Interpol, Pentagon Breaches, Information Week 10 December 2012; Noelle Philipps, 3.6 Million Social Security Numbers Hacked in S.C., The State 26 October FQA includes Q Q For purposes of this study Nationwide Insurance, South Carolina Department of Revenue and Playspan were considered outliers in the last quarter and thus not reported as part of the quarterly data. Two of these breaches are discussed as part of this study under the Notable Data Breaches section of this report. Quarterly data reported in prior studies may change when information regarding breaches is identified or amended. 4 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be included in breach incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. Hacking occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access/Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study United States, Ponemon Institute LLC, March The total average cost per compromised record was $194. For purposes of this study, we estimated the total cost of each data breach using this figure calculated by the Ponemon Institute. ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser svisser@navigant.com Daren Hutchison dhutchison@navigant.com Brad Pinne bpinne@navigant.com Bill Hardin bill.hardin@navigant.com Andrew Obuchowski andy.obuchowski@navigant.com Cuyler Robinson crobinson1@navigant.com Strategic Initiative Contacts Scott Paczosa scott.paczosa@navigant.com Jonathan Drage jonathan.drage@navigant.com Darin Bielby dbielby@navigant.com Research Lead Bill Schoeffler bschoeffler@navigant.com navigant.com The authors would like to thank Vanessa Nelson Meihaus for her invaluable assistance. Vanessa is a Research Coordinator specializing in practice specific and general business development research in the firm s Chicago office Navigant Consulting, Inc All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses.