Enterprise Data Breaches on the Rise, Report Finds

• By Jabulani Leffall
• 01/08/09

If last year was any indication, enterprise IT security pros will be busy in 2009. A report (PDF) released this week by the Identity Theft Resource Center, examining data security breaches in 2008, found lots of issues to address.

Business and enterprise groups showed the most data breaches in the study. More than a third of the 656 total breaches outlined in the group's findings happened in those organizations. Data security breaches were up 47 percent in 2008 compared with 2007 study results, when there were 447 reported cases.

The study found that more than 35 million data records were breached in 2008 in the United States alone. It's a new record, reflecting continued challenges in securing enterprise data.

The Privacy Rights Clearinghouse offers a supplementary view, reporting more than 246 million records stolen since 2005. Moreover, these data breaches have been increasing yearly, according to the group.

Recent case studies provide some examples. For instance, just two days into the 2009 new year, the Pepsi Bottling Group and Merrill Lynch reported data thefts.

In Pepsi's case, a portable data storage device containing social security numbers and personal information of employees was reported as missing. It was later thought to be stolen.

The Merrill Lynch incident involved an as-yet-unnamed third-party consultant. An employee of the consultant was a victim of theft, the consultant claims. Lost were computer records of current, past and potential Merrill Lynch employees.

Data breaches occur from hacking and remote code execution attacks over the Web. Companies also face insider theft and losing laptops at an airport. Data security is just an endemic problem, according to Phil Lieberman, chief executive of Los Angeles-based Lieberman Software.

Lieberman pointed to an overall lax attitude toward IT security in some companies. In response, software vendors should make their security products quicker to install and easier to deploy. Such measures could eliminate drawn-out implementation lag times, he explained.

"Security products, software or otherwise, cannot fix cheap companies that won't invest the time or money in security and some have employees that are lazy and/or stupid when it comes to security," Lieberman said. "And you can't fix stupid."

Whatever the case, security experts say the frequency of data breaches is increasing and hackers are becoming more brazen.

"Data security is a lot like drunk driving. It is highly dangerous and nobody thinks they will be caught," said Randy Abrams, director of technical education at security firm ESET. "Currently, it appears that there are much stiffer penalties for drunk driving than for data mishandling, and that goes a long way toward explaining declining drunk driving-related deaths and increasing data theft."

Companies need to show a greater security push and there needs to be a broader government mandate to ensure proper data handling, plus more intuitive encryption products. Until such time, Abrams said, data theft and identity theft will continue to flourish.

Qualys Inc.'s Chief Technology Officer Wolfgang Kandek agrees with Abrams and thinks it's time that the little mistakes were eliminated. Many of the breaches, he said, involve lost media such as storage tapes, laptops, servers and hard drives that are shipped or moved. To address these problems, enterprises need a commitment to security.

"There's no reason not to have things encrypted," Kandek said. "It's pure inertia that people do not protect the data adequately. It's definitely an organizational issue. IT folks at companies are already overworked, so they can't do it themselves. There has to be an entity-wide commitment."

Moreover, data breaches are an underreported problem, as illustrated in a Verizon Business study released in the middle of last year. The true number of data breaches at companies last year is just about impossible to come by, according to nonprofit research think-tank ITRC. Enterprises may have been too embarrassed to submit the information or some incursions just went undetected.

"While we collected exactly 35.7 million breaches according to notification letters and other information provided by breached entities, 41.9 percent went unreported or undisclosed, making the total number of affected records an unreliable number to use for any accurate reporting," the ITRC said in a statement accompanying its report.