This week Heartland Payment Systems confessed to what may ultimately be the largest data breach ever, with some suggesting that as many as 100 million credit cards have been exposed. This makes the 2007 TJ Maxx breach of 45 million debit and credit cards look fairly reasonable. To make matters worse for Heartland, their PR department apparently felt they they could sweep the item under the rug with some shameless tactics such as announcing the breach on inauguration day and registering the domain name 2008breach.com to discuss the matter. The latter appears to be an effort to distance the information from the Heartland corporate name and make it appear to be a dated issue.
What frightens me about such issues is not the earth shattering numbers that make the headlines for a single breach but the fact that for every Heartland, there are hundreds if not thousands of data breaches that go relatively unnoticed. In a past role, I was involved in a customer round table to discuss security, which attracted CISOs from a variety of large companies. During a discussion on data loss, talk turned to unintentional loses such as 'losing a tape off the back of the truck'. A CISO from a major financial institution shook his head and said "if only you knew how common that is". I have no doubt that he was being frighteningly honest with that statement and in a world where access to a few simple details such as my SSN could ruin me financially, that is truly a sobering thought.
The Open Security Foundation does an excellent job of trying to ensure that data breaches don't go unnoticed, by maintaining the Data Loss DB. It is a well maintained, detailed, open source collection of data and statistics regarding data loss dating back to 2000. When Heartland came forward, I decided to look back at the past year to see just how severe a problem this has become.
- The Data Loss DB contains records for 479 incidents of data loss during 2008
- Records exist to suggest that at least 83,350,024 accounts were affected in 2008, however, estimates of the numbers of accounts affected were not available for 26% of incidents, so the actual number is higher
- Stolen laptops accounted for the majority of the data loss at 20% of all incidents, while hacks of some description accounted for 17% of incidents and web specific hacks were responsible for 14% of the results
- Social Security Numbers were lost in one third of all attacks last year
Besides being thoroughly depressing, these statistics should teach us a few things. First and foremost, while the Heartlands of the world will capture the headlines, they represent only the tip of the iceberg in terms of the loses that occur every day. Moreover, data loss occurs in a multitude of ways, both through direct attacks and carelessness on the part of employees. The important thing is that companies have both preventive and detective controls in place to ensure that such incidents are stopped in the first place but also identified when they do occur. If you wait to see your company in the headlines and you're in charge of enterprise security, two things are certain - like Kato Kaelin, you'll be famous and unemployed.
[Charts courtesy of the Open Security Foundation]