For the first time in three years, malicious attacks accounted for more of the reported data security breaches last year than human error, according to a new report by the Identity Theft Resource Center.
Hacker attacks or theft by nefarious insiders made up 36.4% of 354 reported data security breaches last year compared to 27.5% caused by accidental exposure or lost data, according to the ITRC Breach Report for 2009, which was released Friday. The San Diego, Calif.-based nonprofit ITRC, which collects publicly available information about data security breaches, has been tracking how breaches occur for the past three years.
"It isn't surprising," said Linda Foley, ITRC founder. "We've been saying for a long time that the thieves are becoming more sophisticated."
She noted that Albert Gonzalez, who pleaded guilty last month to conspiring to hack into the network of Heartland Payment Systems Inc. and other companies, had been operating with other hackers for several years "honing their skills."
The business sector, which includes retailers, law firms and e-commerce sites, accounted for 41% of reported data security breaches last year, more than the banking, education, government, and health sectors. In 2006, it accounted for 21%. About 11% of the reported data breaches last year came from the financial industry, the lowest percentage among industry sectors.
While stringent regulations may help keep down the number of data breaches in the financial industry, banks still are susceptible, Foley said. Like other organizations, banks that use contractors for services like benefits processing, which involves personally identifiable information, are vulnerable to hacker attacks and other breaches at third parties. In the ITRC report, subcontractors fueled 7.2% of reported data breaches.
Other findings in the ITRC report: Paper-based breaches accounted for almost 26% of known breaches, and encryption or other strong security measures were used to protect sensitive data in only six of the 498 total breaches disclosed last year.
The number of recorded data security breaches in 2009 fell last year from 657 in 2008, but since obviously not all breaches are reported, Foley said it's hard for anyone to know the true extent of the problem. According to the ITRC report, more than 222 million records were potentially compromised in 2009; two large breaches accounted for 200 million of those records. But one-third of breach notifications don't disclose how a breach occurred, and more than half don't disclose how many records were exposed.
"The insanity continues," she said. "We still don't know the complete picture of breaches. We only know about the 498."
Foley said there needs to be mandatory reporting of data breaches to a single public website so the industry can better track what's happening and watch out for serial attackers.
"We have to get away from the blame game. Breaches are going to happen," Foley said. "We need to stop blaming companies and encourage them to take steps to create stronger security and use breaches to learn from instead of making it a stigma."