Data breach watchdog sees big uptick in vague disclosure

Breaches reported, but lack of detail undermines usefulness.
  • Liam Tung (CSO Online (Australia))
  • — 16 July, 2012 11:06

Organisations might be reporting data breaches in the US, but most are staying mum on how the breach occurred.

Hackers, insider threats and lost portable media and laptops are just some of the ways data can be lost, with each type of incident carrying different risks that may require a different response from affected individuals, US-based Identity Theft Resource Centre (ITRC) argues.

Its analysis of 213 data breaches disclosed in the first six months of 2012 show that 63.4 per cent contained no information about how it occurred, representing a two-fold increase in reports that were not transparent.

“Other than breaches reported by the media and a few progressive state websites, there continues to be little or no information available on many data breach events. The public has no way of knowing just how minor or serious the data exposure was for any given incident,” the organisation said in a statement.

Its figures show a big uptick in healthcare sector data breaches, which represented 27 per cent of the total this period, compared with 17 per cent in the same period last year.

Banking sector data breaches represented just 4 per cent in 2012, down from eight per cent last year.

Third party and subcontractor breaches doubled to 14 per cent over the past year.

Hackers were responsible for 30.5 per cent of breaches, up from 27.5 per cent, while insider theft was down from 17.5 per cent to 7.5 per cent, with the latter trend identified as a sign companies may be improving internal controls and vetting of employees.

The 8.5 million records the organisation count as ‘being exposed’ significantly undercounts the actual number of records exposed.

The ITRC count includes cases where non-personal identifying information such as email addresses, user names or passwords were lost, but does not include them as exposed records. That means LinkedIn and eHarmony are listed, but the 6 million user accounts and passwords that were exposed were not counted.

It also only included the 44 per cent of organisations that disclosed the number of records in question.

The group argues the figures show that without a national mandatory data breach reporting law, the ability to ascertain how much data is being exposed is getting worse.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security That Fits

Improve the effectiveness of your security or get unique network threat discovery and remediation

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »