Symantec Global internet Security threat report
Data breaches that could lead to identity theft, by sector
identity theft continues to be a high-profile security issue. in a recent survey, 65 percent of U.S.-based poll respondents said that they were either “very concerned” or “extremely concerned” about identity theft.57 Furthermore, 100 percent of enterprise-level respondents surveyed for the Symantec State of Enterprise Security Report 2010 experienced loss or theft of data.58
the danger of data breaches is of particular importance for organizations that store and manage large amounts of personal information. not only can compromises that result in the loss of personal data undermine customer and institutional confidence, result in costly damage to an organization’s reputation, and result in identity theft that may be costly for individuals to recover from, they can also be financially debilitating to organizations.59 in 2009, the average cost per incident of a data breach in the United States was $6.75 million, which is slightly higher than the average for 2008. Considering that the average cost per incident has also been rising in recent years (having risen from $4.5 million in 2005, for example), it is reasonable to assume that average costs will continue to rise in coming years. reported costs of lost business ranged from $750,000 to $31 million.60
Using publicly available data, Symantec has determined the sectors that were most often affected by these breaches and the most common causes of data loss.61 Using the same publicly available data, this discussion will also explore the severity of the breach in question by measuring the total number of identities exposed to attackers.62
it should be noted that some sectors might need to comply with more stringent reporting requirements for data breaches than others. For instance, government organizations are more likely to report data breaches, either due to regulatory obligations or in conjunction with publicly accessible audits and performance reports.63 Conversely, organizations that rely on consumer confidence may be less inclined to report such breaches for fear of negative consumer, industry, or market reaction. As a result, sectors that are not required or encouraged to report data breaches may be under-represented in this data set.
the education sector accounted for the highest number of known data breaches that could lead to identity theft, accounting for 20 percent of the total (figure 4). this was a decrease from 27 percent in 2008 when the education sector also ranked first.
57 58 59
60 61 62 63
http://arstechnica.com/security/news/2009/10/americans-fear-online-robberies-more-than-meatspace-muggings.ars http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf http://www.wired.com/threatlevel/2009/11/pos?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+ index+3+%28top+Stories+2%29%29 http://www.encryptionreports.com/download/ponemon_COB_2009_US.pdf Open Security Foundation (OSF) Dataloss DB, see http://datalossdb.org An identity is considered to be exposed if personal or financial data related to the identity is made available through the data breach. please see http://www.privacyrights.org/fs/fs6a-facta.htm and http://www.cms.hhs.gov/HealthplansGeninfo/12_HipAA.asp