California Attorney General Kamala D. Harris recently published a report on data breaches in 2012. One might ask why the Attorney General is concerned with data security issues so much as to publish a study on the subject. But it can be easily explained because this year is the tenth anniversary of SB1386 law, which requires commercial companies handling personal information to inform their customers about personal data leaks. Moreover, since last year Californian companies losing data are required to send copies of their notices to customers to the California Attorney General’s Office. Thus, Harris has accumulated a solid statistical database. Although the figures in the study are important in and of themselves, Harris focuses on the most frequent problem: the leaked data was stored in an unencrypted form.
With the SB1386 law appropriately amending the California Civil Code and being a kind of “educational measure” a data leak by definition becomes a state of emergency, and when the law requires the blundered companies to report on their shame urbi et orbi, new ways to avoid such a stipulation develops.
However, the law has been in effect for ten years already, but the situation with securing personal data is still ambiguous.
The survey details the 131 data breaches reported to the Attorney General’s Office in 2012 by 109 Californian organizations. The law requires the Attorney General’s Office be informed about an incident when there is reason to believe that more than 500 people’s personal data are at risk.
According to the estimates by Harris and her colleagues a total of 2.5 million Californians had personal information put at risk through an electronic data breach. Therefore, the average (mean) breach incident could involve the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
The largest leaks, in particular, were breaches to the gaming servers of Valve Corporation in February 2012. Valve owns the games and software online retail service Steam, so the data breach threatened 509,000 people. Another large-scale invasion was into the servers of Global Payments processing company in July 2012, affecting 139,034 people.
The retail industry reported the most data breaches in 2012: 26 percent of the total reported breaches, followed by finance and insurance with 23 percent. No wonder they prevailed for they all process both personal and billing information. 15% of incidents occurred in the field of health care, the other 15% were with an unspecified category. 8% of the leaks occurred in the sphere of education, and the other 8% were with government agencies. Professional services were involved the least, with just 5%.
The California Attorney General’s office used C. Matthew Curtin and Lee T. Ayres’ taxonomy of data loss for the report. All failures were divided into three general categories: physical, logical, and procedural. Physical failures involved the loss of control over a physical asset containing personal information. This type of failure is comprised of documents, portable data storage, media such as flash drives or tapes and computer hardware that was lost or stolen (laptops, tablets, smartphones, too). Logical failures involve intentional access to information without access to the physical asset, either unauthorized access by an insider or the exploitation of a vulnerability by an outside hacker. Procedural failures result from data custodians mishandling personal information, exposing it to unauthorized parties. These failures include the unintentional exposure of information on a website, exposure in mailings, misdirected mailings and email, and improper disposal or abandonment of information or media.
More than half of the breaches in 2012 (72 breaches, 55 percent) were the result of logical failures. Outsider intrusions accounted for 59 of the total incidents (45%). 10 percent of the breaches (13) were caused by insiders. Physical failures accounted for 36 of the breaches (27%) with 22 instances of lost or stolen hardware (17%), eight of lost or stolen media (6%), and six of lost or stolen documents (five percent). Procedural failures were 23 of the incidents (18% of the total): 21 caused by processing errors, such as misdirected mail or email, and unintentional web posting. 2 were caused by improper disposal of data.
Thirty-six of the breaches (27%), affecting a total of over 1.4 million Californians, involved lost or stolen digital data or misdirected emails in which personal information was unencrypted.
At the end of the report Attorney General Kamala D. Harris wrote:
“Ten years after the California breach notification law took effect, we are still seeing the unencrypted personal information of tens of thousands of individuals carried on laptops and left in cars, shipped on tapes and mailed on thumb drives, and stored on desktop computers in offices. Employees use email to send Social Security numbers and other personal information that is not encrypted, and when the email goes astray, so does the information.”
Further Harris pointed out that 89 percent of those breaches involved Social Security numbers, which enable new account and account takeover fraud, the types of identity theft that are the most costly to resolve, but is possible with the help of a person’s passport.
“We also recommend enacting a law to require the use of encryption to protect personal information on portable devices and media and in email”, the report concluded.
Most likely this measure would positively affect the situation with personal data storage. Another large game company Ubisoft just recently experienced a hack and the gamers’ personal data leaked. As it turned out the data was stored without any encryption. Now the company is being scolded for negligence, and rightfully so.
From our point of view any critical information – corporate data, especially other people’s personal information – must be encrypted for storage. It is just as important of a safety measure as anti-virus or anti-spyware for fighting exploits. Neglecting encryption may cost too much.