In 2009, a small number of data leaks exposed more personal information than ever before.
Glance at 2009's data breach statistics, and you might think the IT world had scored a rare win in the endless struggle against cybercrime.
In Pictures: The Year's Biggest Data Disasters
In Pictures: The Year's Most Notorious Cyberbusts
In Pictures: 14 Ways You're Getting Ripped Off
In Pictures: Security Tips For Executives
In Pictures: Five Tips For Protecting Your Online Bank Accounts
According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of Nov. 17, on track to show a 50% drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting.
But the decrease in data breaches is deceptive. In fact, the number of personal records that were exposed--data like Social Security numbers, medical records and credit card information tied to an individual--that hackers exposed has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. And the majority of 2009's data loss stems from a single source: credit card processing firm Heartland Payment Systems.
The point of access to Heartland's network was hardly unique. Albert Gonzalez, also known by his hacker handle Segvec, along with two Russian co-conspirators who haven't yet been named by authorities, allegedly used an SQL injection to enter a set of commands into a text entry field on a company's Web site that breaks the site's intended function and gains access to the server that it runs on.
From there, the hacker group is accused of planting malicious software that collected and siphoned off credit and debit numbers. Because they targeted a payment processor with access to many clients' financial data rather than a single retailer, Segvec and his partners allegedly pulled away information for as many as 130 million accounts.
Heartland, to be sure, wasn't the only mega-breach this year. Less scrutinized, but still far larger in scope than practically any breach in history, was an incident that occurred at the National Archive and Records Administration (NARA) in October. When a hard drive with the personal information of around 76 million servicemen malfunctioned, NARA sent it back to the IT contractor GMRI for repairs. But by failing to wipe the drive before sending it beyond its premises, NARA ostensibly created the biggest government data breach ever.
NARA disputed in a public statement that its hard drive mishap represents a true data debacle: GMRI had signed a contract ensuring its careful handling of private data. But given the high rate of data breaches traced to contractors--46% of all lost files last year--NARA's mistake still counts as one of the biggest breaches of all time, says ITRC Director Linda Foley. And like the Heartland breach, it could easily have been prevented by scrambling the sensitive data with encryption software.
"Why are organizations that have these massive amounts of our data still not encrypting it?" Foley says. "When we know we have these super breaches going on, why are they resisting a technology that could prevent them?"
Setting aside 2009's two "super breaches," the ITRC only recorded around 14 million lost records this year, a comparatively small number. But Larry Ponemon, founder and chief executive of the data-breach-focused research firm the Ponemon Institute, doubts that the ITRC accounting is complete.
Ponemon points out that the ITRC, like other breach-tracking firms, catalogues data loss incidents based on media reports that follow public notice of breaches, now a legal requirement in many states. But thanks to the massive scale of incidents like NARA's or Heartland's, many smaller breaches are no longer covered. "These small breaches aren't as interesting as they used to be. They're considered commonplace," says Ponemon. "If it's not a mega-breach, it's not going to be reported."
Better news than the misleading drop-off in breach reports, says Ponemon, is the steady increase in the use of technology like encryption and data loss prevention (DLP) software, which guards network exits like e-mail and USB ports to block the leakage of sensitive data. Since 2005, encryption of entire hard drives has increased an average of 19% a year, and encryption of USB drives has increased by 16% a year. Data loss prevention has been adopted at around 8% a year.
But though accurate breach data isn't easy to find, Ponemon doesn't believe the adoption of DLP and encryption is stemming the flood of personal data. He says those technologies are often implemented spottily and can't keep up with all the new places from which data can be stolen, from smart phones to Web collaboration tools. "We shouldn't take false comfort in the idea that companies are doing a better job of this," Ponemon says. "There's no question that more companies are using DLP and encryption tools. But there's always a human factor, and many people simply don't take these technologies seriously."