Data breach watchdog sees big uptick in vague disclosure

Breaches reported, but lack of detail undermines usefulness.

Organisations might be reporting data breaches in the US, but most are staying mum on how the breach occurred.

Hackers, insider threats and lost portable media and laptops are just some of the ways data can be lost, with each type of incident carrying different risks that may require a different response from affected individuals, US-based Identity Theft Resource Centre (ITRC) argues.

Its analysis of 213 data breaches disclosed in the first six months of 2012 show that 63.4 per cent contained no information about how it occurred, representing a two-fold increase in reports that were not transparent.

“Other than breaches reported by the media and a few progressive state websites, there continues to be little or no information available on many data breach events. The public has no way of knowing just how minor or serious the data exposure was for any given incident,” the organisation said in a statement.

Its figures show a big uptick in healthcare sector data breaches, which represented 27 per cent of the total this period, compared with 17 per cent in the same period last year.

Banking sector data breaches represented just 4 per cent in 2012, down from eight per cent last year.

Third party and subcontractor breaches doubled to 14 per cent over the past year.

Hackers were responsible for 30.5 per cent of breaches, up from 27.5 per cent, while insider theft was down from 17.5 per cent to 7.5 per cent, with the latter trend identified as a sign companies may be improving internal controls and vetting of employees.

The 8.5 million records the organisation count as ‘being exposed’ significantly undercounts the actual number of records exposed.

The ITRC count includes cases where non-personal identifying information such as email addresses, user names or passwords were lost, but does not include them as exposed records. That means LinkedIn and eHarmony are listed, but the 6 million user accounts and passwords that were exposed were not counted.

It also only included the 44 per cent of organisations that disclosed the number of records in question.

The group argues the figures show that without a national mandatory data breach reporting law, the ability to ascertain how much data is being exposed is getting worse.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts