The InfoWatch Analytical Center has summarized last year’s results, and is presenting the next in a series of global studies of internal informational security incidents. The purpose of this project is to analyze all confidential information leaks (including those containing personal data), which have been reported in the mass media over the past year. We analyzed incidents throughout the world in the public and private sectors. Back in 2004, the InfoWatch Center started creating its database of reported incidents. To date, this database contains several thousand entries. We based our study on the information collected in this database. During 2008, 530 new entries were added; a substantially higher number than in the previous year. Our company, in making every effort to gather all relevant facts constantly expands its sources of information. However, the increase in the number of entries has also been observed in other similar databases. Therefore, the first conclusion we can draw from this information – is that public awareness of confidential information leaks (especially of personal data) has increased.
Where these leaks occurFigure 1 shows the distribution of all reported incidents by type of organization.
Government bodies 104 19.6% Business enterprises 296 55.8% Non-government organizations and educational institutions 127 24.0% (not identified) 3 0.6%In comparison to 2007, this distribution has remained remarkably stable. The percentages have changed by no more than 1-2 points from the previous year, which makes them fall within the boundaries of statistical error. This past year, compared to the one preceding it, we have seen a slight decline in the share of leaks coming from government offices, which can be explained by an increasing number of other non-government enterprises which process personal data. So we can assume that the growth of leakages in the public sector has been stopped. If we study deliberate and accidental leakages separately, their distribution by type of organization remains similar; these differences also fall within the boundaries of statistical error. Here we can conclude that there was no correlation between the deliberate attacks and the type of organization, and no corresponding marginal distribution may be implied.
MALICE OR ACCIDENTFigure 2 shows the percentage of deliberate and accidental incidents.
Deliberate 241 (45.5%) Accidental 223 (42.1%) (not identified) 66 (12.5%)A significant increase in the number of intentional leakages can be observed, in comparison to 2007, from 29% to 45%. And this is keeping in mind that in 2007 we did not have a “not identified” category. Therefore, the real growth of intentional leakages could be even greater. There are two primary reasons for this growth. First of all, fully functional DLP-systems (Data Loss Prevention) have been fully or partially implemented. These are very effective in protecting data from accidental and intentional leakages. Second, both the value and liquidity of personal data is growing. The “identity theft” business is now in full swing; this criminal activity, thanks to the relatively simple way information can be accessed, is attracting more and more participants. And the range of potential victims is constantly expanding as well, due to the introduction of new ways to provide services and the geographic expansion of these services. For example, in Russia a person used to have to present a passport when paying by credit card; now this practice has been fully abandoned, with the exception of some small isolated villages. To obtain a loan, one still needs to appear in person, and must provide one or two pieces of personal identification. But already there have been attempts by some banks to grant loans in absentia, while in the West this has been standard practice for years. In short, more and more countries and sectors are creating conditions where “identity theft” can occur. Therefore, personal data is increasing in value, and accordingly, so are the temptations to steal it. Yet the careless practices of employees remain at the same level as before or can even become worse, unless they are informed about risks of “identity theft” and the legal requirements to protect confidential information
Presented in Figure 3 is the distribution of leakages by type of information leaked. Commercial secrets and know-how (manufacturing secrets) are combined into the same category, as in most countries they are one and the same.
Personal data 517 97.5% Commercial secret, know-how 4 0.8% State secret 5 0.9% (not identified) 4 0.8%Deliberate 241 (45.5%) Accidental 223 (42.1%) (not identified) 66 (12.5%)
Reports in the mass media on the losses or disclosure of personal data drown out all other leakage reports. There were more reports on the leakage of state secrets in this reporting year than in the previous year (5 to 1), but it is hardly noticeable on the diagram, because of the large increase in the number of personal data leakage reports. As the previous reports have already established, personal data is the ‘issue of the day,’ and information about such leakages evokes greater attention and outrage. Problems with commercial secret thefts have been prevalent for a long time, though the media writes only about the largest or most scandalous leakages. As for personal data, this was not subject to protection before. The International Convention for its protection was only signed in 1981, and practical measures started being implemented even later than that. The phenomenon of “identity theft” appeared only in the 1990s, and gained popularity only in the 21st century. It is no wonder that everyone is particularly interested and concerned about this new, and latest “human right.” On the other hand, reports about leakages of personal data often appear in the mass media mostly as a result of US legislation. In most American states, when any leakage of information occurs (even if the eventual misuse of the missing personal data is unclear), the holder of this information is obliged to notify all potential victims of the leakage. This type of mass mailing, and especially a notification via a Web site, becomes easy prey to local newspapers, from whom analysts collect this information. Such notifications almost always lead to public disclosure of the leakage.
Currently, similar legislation is being prepared in Britain, where we will soon expect a growth in the number of reports. But so far the leader in the absolute and relative number of leakages is the USA.
LEAKAGE PATHSIn this section we discuss the statistics of those carriers through which leakages occur. It is important to know which channels are used, and then to block these. So what are the channels are most important to watch and which ones can wait for later attention?
Laptop or other portable computer 103 19.4% Other portable data carrier (CD, DVD, USB thumb drive) 30 5.7% Network 124 23.4% Desktop computer or server 40 7.5% Paper record 28 5.3% Archive carrier 17 3.2% Other 15 2.8% (not identified) 173 32.6%As we can see from the chart above, the main leakage channels are the Internet and portable devices. The first channel includes all file archives on Web sites, e-mail, ICQ etc. As compared to last year the proportion of leaks from the Internet has decreased from 25% to 21%. The second channel consists of data leakage that results from the loss or theft of portable computers or other devices, such as USB flash drives, CDs/DVDs, hard drives, and so on. The percentage of leakages via portable carriers and laptops (these two categories can be combined) has significantly declined—from 39% down to 25%. Portable devices used for archiving and paper documents are highly susceptible to leaks and computers with confidential data are often stolen. The “not identified” category, where the carrier is not known, has shown the greatest growth—from 12% to 32%. Unfortunately, the increase in the amount of information inevitably reduces its quality. Many of the reports on these incidents are written without the necessary amount of detail; however, we cannot completely disregard this data, incomplete though it may be. Other categories have changed only slightly in comparison to the previous year. It is interesting to see the difference between accidental and deliberate leakages. Let us build similar distributions for these two categories (see Figure 5).
Deliberate
Laptop or other portable computer 37 Other portable data carrier (CD, DVD, USB flash drive) 5 Network (except for electronic mail) 48 Desktop computer or server 16 Electronic mail and Fax 0 Paper record 2 Archive carrier 0 Other 12 (not identified) 121Accidental
Laptop or other portable computer 40 Other portable data carrier (CD, DVD, USB flash drive) 21 Network 67 Desk computer or server 17 Paper record 21 Archive carrier 11 Other 3 (not identified) 43As you can see, the difference between the breakdown of accidental and deliberate leakages is very significant. First of all, our attention is drawn to the complete absence of two types of media in the “accidental” diagram: e-mail and archive tapes. E-mail is easier to monitor than other channels (it has a simple protocol and several “transfer hubs” and is insensitivity to delays). And one can easily arrange censorship even without using specialized software. The intruder usually takes this into account. With regards to the lack of malicious acts using backup media, we can only hypothesize that organizations did a good job of ensuring backup copies were well hidden or even encrypted. Another possibility may be that such breaches simply went unnoticed. Paper documents are also rarely found in the reports of deliberate information theft. Much more often they are inadvertently lost or carelessly thrown into the wastebasket, to be taken out later by a journalist or social activist. Secondly, the “not identified” category primarily concerns intentional leakages. Here the phrase should be taken quite literally—the investigation (so far) has not been able to determine how the violations have been committed. And concerning the accidental leakages, the gray sector on the diagram usually means that in mass media reports the relevant details were omitted. Also, the “other” category combines mostly deliberate leakages. This category mainly includes cases where an authorized employee walks out with confidential information in his own head. Thirdly, it should be noted that portable information media like USB flash drives are accidentally lost more often than maliciously stolen. If your organization uses such drives, you must take measures to prevent their inadvertent loss.
Compulsory encryption of portable carriers protects from both kinds of leakages. (By way of note, if the information on a lost carrier has been encrypted — not just “password protected” — then the case is not even considered an incident, does not require notification of the authorities, and thus does not get into our records.) From a comparison of the two diagrams we can conclude that the protection of e-mail, printer, backup, and portable carriers is meant mainly for preventing accidental — i.e., unintended — actions and the mistakes of personnel.
GEOGRAPHIC DISTRIBUTION OF LEAKSThe data below reflects not so much the distribution of leaks which have occurred in various countries, but rather their being made public. In the USA, publishing information on personal data leakage is mandatory by law. The United Kingdom is planning to enact similar legislation. In the UK, just like in ideologically similar Canada, where all organizations are very careful in protecting personal information, the degree of urgency for privacy protection legislation has not been felt yet.
In comparing the specific number of leaks in the US with those of other countries, it is possible to conclude that other nations experience a higher rate of unreported leakages; the organizations themselves may also be ignorant of incidents.
Country Number of leaks Share Leaks per million inhabitants USA 423 79.81% 1.444 Great Britain 54 10.19% 0.896 Ireland 4 0.75% 0.667 Canada 10 1.89% 0.308 Norway 1 0.19% 0.208 Australia 3 0.57% 0.151 Germany 7 1.32% 0.085 Korea 4 0.75% 0.082 Chile 1 0.19% 0.064 Russia 6 1.13% 0.042 Italy 2 0.38% 0.034 Poland 1 0.19% 0.026 France 1 0.19% 0.017 China 3 0.57% 0.002 India 2 0.38% 0.002 (not identified) 3 0.57%We should note the integrity of the data. Previously the highest rate which was registered was 1 leak per million inhabitants each year. This rate has now increased to 1.4. We believe that if we use additional sources of information the data will reflect the real situation even more.
A significant portion of confidential information leakages are hidden from public knowledge, especially when they occur within just one organization. When multiple organizations become involved, there is a tendency to try and shift responsibility for the leak to someone else, and as a result, the facts are more likely to be made public.
MAJOR LEAKSHere we list some of the most significant information leakages which came to light in 2008 — i.e., the largest ones or those that affected the most sensitive information. In terms of the quantity of personal data affected, we can see that it was proportional to the overall population in each country.
The personal information of 21 million German citizens became available on the black market. Journalists were offered a huge database of information for 12 million euros. This database contained the names, addresses, phone numbers, dates of birth, and bank account numbers. This data was most likely stolen from a call center at one of the major banks. “Deutsche Telekom” lost 17 million files. The stolen customer database was stored on the backup media of the company, and included names, addresses, mobile phone numbers, dates of birth, as well as e-mail addresses. The company stated that the database did not contain any personal financial information. In Britain, they discovered in a parking lot “flash” memory cards containing sensitive data — usernames and passwords for the government computer system. These memory cards would have allowed anyone to gain access to the personal information of 12 million people. The Korean police arrested four people, charging them with the theft of personal information on 11 million people. The information was stolen from the “GS Caltex” company, and two of those arrested were employees of the company. One of the accused had authorized access to the database by virtue of his official position, and criminals were able to copy data he provided and then tried selling it on the black market. The Italian Government in an impulsive attempt to “increase government transparency” published the names, addresses, and income and tax status information of all Italian citizens. But these were all removed from the site within 24 hours of publication after a complaint was launched by the Italian organization responsible for the protection of personal privacy. India’s largest reported incident was the theft of confidential data, containing information on 8.5 million people. The owner of an outsourcing business was accused of stealing confidential information from his clients — large American companies. He sold this database to the competitors of his clients. Unidentified hackers broke into the server of the American “Best Western Hotel Group” and stole detailed personal information (including bank card information) of 8 million customers of the hotel chain. The media immediately tried to lay blame for this crime on Indian hackers working with the Russian mafia. One hacker was able to steal information about 6 million citizens of Chile and then published it on the Internet. This data was stolen from the servers of the Ministry of Education and included identification numbers, telephone numbers, home and e-mail addresses, as well as educational information of citizens. The “CheckFree” billing company was forced to admit that is had lost personal information on 5 million of its customers and had to compensate them for the financial monitoring expenses incurred. Criminals were able to switch DNS addresses of the company’s servers and thus redirecting visitors to a spoofed website. In a span of 9 hours they were able to gather information about bank cards and banking transactions of the company’s clients. A company working for the Bank of New York Mellon lost a backup tape that contained social security numbers and bank accounts of 4.5 million clients. If we look at the total amount of personal data files that were stolen or leaked during the year — which comes to tens of millions of files — and add to them the small leakages of 1, 2 or 3 records, the average leakage ends up being 336,000 records. CONCLUSIONSThe confidentiality of information, and especially personal data, is still a vital issue, even in countries where identity theft is more difficult to achieve, like Russia. And among the efforts made to secure this information are the implementation of DLP systems and the mandatory reporting of infractions to the victims of leakages.
The amount of personal data in circulation on the black market in developed countries is proportional to the total population of those countries. Everyone faces the possibility of falling victim to this type of crime, as the confidentiality of personal data cannot be one hundred percent guaranteed. However, there have been good procedures developed to combat the effects of such leakages, and minimize the damage they create. The main data leakage channels are networks and portable carriers. These two channels are successfully protected by the existing DLP solutions: the first one by implementing outgoing traffic content filters on the gateway, the second one by implementing several tools that control the connection of external devices and compulsory encryption of portable devices and laptops in case of their loss or theft. State regulations in this area are being developed in order to combat the impact of leaked information. The fundamental way to achieve this is to inform potential victims and ask them to closely monitor their financial activities.