SANS ISC: Tracking Publicly-Announced Data Breaches

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Prioritizing IT spending is hard. Increasing awareness for IT security risks among executive managers is not any easier. Breach notification laws, which have recently been enacted by many states in the US, help on both accounts.

In a nutshell, the laws require companies that suffered a breach of sensitive customer information to notify the affected individuals. This is one of the reasons we have been hearing so many announcements of such incidents. It's not that data wasn't being compromised earlier; it's just that now there are legal obligations for making the breached public.

Knowing the circumstances of publicly-announced breaches can help you identify and mitigate similar risks in your organization. An ISC reader wrote to us about one such situation, where he was asked to research incidents where a backup tape lost in transit resulted in a breach that led to identity fraud.

Although it's difficult to link  breaches to confirmed cases of identity fraud--such details are rarely made public--here are a few ways you can keep track of announced data breaches.

• Attrition.org maintains a Data Loss Archive and Database, which records many potential instances of data breaches. The information is available as an RSS feed and in a CSV file.
• Privacy Rights Clearing house maintains a list of data breaches, sorted in chronological order for 2005, 2006 and 2007.
• About.com compiled a list that includes a number of data breaches announced in 2006 and 2007.

If you would like to know which US states have enacted breach notification laws, take a look at the detailed list maintained by the University of Georgia; it was last updated on October 1, 2006. Another list, updated on January 9, 2007, is maintained by National Conference of State Legislatures.

Here are a few more data points related to data breaches, which you may want to add to your arsenal:

• According to the 2006 Annual Study: Cost of a Data Breach, conducted by The Ponemon Institute and sponsored by PGP Corporation and Vontu, the cost of responding to a data breach "averaged $182 per lost customer record." "The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million."
•  A study of announced data breaches, conducted by Phil Howard and Kris Erickson at the University of Washington, found that almost 1.8 billion records were compromised from year 2000 to 2006. A draft of the paper is available for download and includes lots of other interesting details.
  

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com