This is the InfoWatch analytical center’s first monthly report on information leaks, cases of sabotage, internal violations and other similar incidents. This is the first Russian project of its kind and gives not only a bird’s-eye view of insider threats, but also details each incident and assesses the damage caused.
At present, the InfoWatch incident database contains more than 500 cases of insider activity. This report, however, looks only at the incidents for the month of November, 2006, a month in which we saw 17 separate incidents. These incidents were spread broadly both in terms on their geographical location and the extent of the damage they caused. The results are arranged in logical format, making monthly totals easy to see. Each case has a short description, damage assessment and a link to further details. Beneath the table you will find an analysis of the key tendencies over the past month.
№ Incident DB Entry Date No. of Victims Financial Damage Further Details 1 From May to October, 2006, 63,000 mobile phones, 4,973 laptops and 5,838 pocket computers were left in London taxis 27/10/06 200,000* $120,000* More 2 Between 2002-2006, the British Ministry of Transport suffered 8 confidential information leaks 30/10/06 96 $50,000* More 3 A laptop with Bank of America personal data was stolen 1/11/06 40,000 account holders* $8.6 million* More 4 Private patient information leak from Allina following laptop theft 1/11/06 33,000 patients $8 million More 5 Reservist data leak from Hampton Roads occurred 1/11/06 5,000 graduates $1.3 million* More 6 Theft of a laptop with veterans’ personal data from a New York hospital 1/11/06 2,000 $680,000* 7 PC theft containing private details from the offices of ACS 2/10/06 1.4 million $320 million* More 8 A laptop stolen from Starbucks offices 3/11/06 60,000 employees $22 million* More 9 Between 2004-2006, 17 laptops went missing from the British Department of Financial Services 6/11/06 0 $25,000 More 10 A laptop with personal data went missing from the US university Hilb Rogal & Hobbs 6/11/06 1,200 students $150,000* More 11 Client database leak from Valuehost 11/11/06 101,000 clients $570,000* More 12 3 laptops stolen from the accountancy company LogicaCMG 16/11/06 15,000 policemen $5 million* More 13 A computer stolen from the Florida transport ministry 16/11/06 133,000 drivers and pilots $30 million* More 14 Between 2002-2006 a group of insiders misused data to acquire real estate 21/11/06 Approx. 500* $12 million More 15 Between 2002-2006, 478 laptops were lost or stolen from the IRS 21/11/06 Between 4-7 million people* Up to $1 billion* More 16 A laptop was stolen from the Nationwide Building Society 22/11/06 Up to 11 million $1.5 billion dollars* More 17 A student stole a laptop from Connors State College, US 22/11/06 22,500 students $2 million* More* - The InfoWatch analytical center’s estimate
Conclusions
We can reach several conclusions in the light of this detailed analysis of November’s incidents.
Firstly, the greatest harm was caused by loss of mobile devices. This is not surprising, since laptops are both mobile and easy to lose. In addition, the simple act of taking information outside of an organization’s perimeter, in itself represents a threat to confidentiality. This means that mobile computers require special care. Unfortunately, however, laptop owners are often careless of basic security procedures, even omitting such things are codes and encryption, which – though simple to implement – significantly increase data protection.
Secondly, several state organizations in the US and UK made multiple leaks public: Between 2002-2006 the British ministry of transport had 8 leaks and between 2004-2006 employees of the Department of Financial Services lost 17 laptops. America has fared no better over the same period. There, over the last 5 years, the IRS either lost of had stolen 478 laptops. The InfoWatch analytical center estimates that up to 7 million people have already been harmed in some way by the loss of these laptops. If we extrapolate from existing statistics, around another 100 computers with unprotected information will be stolen in the coming year, while the theft of even one such laptop containing a database of confidential information can result in the loss of tens of millions of dollars. Take the case of the Florida ministry of transport as an example where 133,000 drivers and pilots came under immediate threat of identity theft.
Thirdly, we see that commercial enterprises were hit hardest. InfoWatch experts explain that history shows that one must factor in the cost of a tarnished reputation among the key negative consequences. For state organizations, however, loss arising from customer abandonment is minimal. While it is true that the US revenue service has been seriously discredited as a result of its constant leaks, do the people of America really have a choice but to deal with them? No. Come what may, American citizens will continue to fill out their tax returns and submit them to the IRS. This problem affects Russia as well. The colossal data stores from literally all areas of government – revenue, customs, internal affairs and others – regularly appear in wide scale use. But the State does not lose clients since the people have no choice but to deal with it. There is no free-market principle in operation here. But with commercial organizations there is a choice: If you don’t like it, you can shop elsewhere. On the other hand, both state and commercial organizations suffer losses through the direct costs involved in dealing with the effects of data leaks: Internal investigations, lawyers’ fees, notification costs, contact with the press, and so on do not come cheap. But loss of brand image will do a company far more damage than even all of these.
The InfoWatch analytical center’s system of estimation
Loss estimates are calculated on a case-by-case basis according to a single method. The number of victims and the character of the lost data form the basis for the calculation. Then a preliminary loss is estimated. For example, in some US states, there is a law which requires all citizens to be informed if their private data has been compromised by a data leak. And responsibility for such notification falls to the company which allowed the leak to occur. The average costs involved in sending notification to one victim are already known from analytical accounts. Then the number of citizens who are likely to fall victim to fraudsters as a result of the leak is defined. This number differs depending on the country, the professional sector in which it occurred, and the scale of the leak, but it can usually be reckoned to be between several tenths of one percent and several percent of the total number of people whose information was compromised. If some of the indicators are not fully defined, then average amounts are taken on the basis of a numerical or empirical evaluation by InfoWatch’s analytical center. When the value of this loss has been calculated, mitigating or aggravating factors for each case are included. For example, for a commercial organization, the damage caused by loss of brand image will be far greater than for a state educational institution. The opinion of law enforcement agencies investigating an incident, and experts on the ground regarding the future of the case, is also a real factor.
For the sake of clarity, we will look at the case of stolen personal data more closely. There is a suitable case in the table above. On the 8th of October, thieves broke into the car of an nurse and stole a laptop with the personal information of 33,000 of Allina’s (the name of the organization) clients. Here, we turn to the research publication: 2006 Annual Study – Cost of a Data Breach. According to the Ponemon Institute, the direct costs of postal and telephone notification, internal investigation, lawyers’ fees, etc. is around 54 USD on average for each victim. In the case in hand, the general, direct costs total 1,782,000 USD. Average indirect costs are around 30 USD for each personal record stolen. Thus, total indirect losses equal 990,000 USD. Then, of course, there is the matter of lost profit. This is the money which the company will not see due to existing customers leaving and a reduced uptake among new customers. Each victim represents, on average, an additional cost of 48 USD in lost profit to the company. In the case of 33,000 patients, we are looking at 1,584,000 USD – no mean sum. When we put these figures together, we get a total of 4,356,000 USD. But we are not finished yet.
Allina representatives have already announced that the people whose data was on the stolen computer, will receive a year’s account monitoring free of charge. It is not yet clear which company will conduct the monitoring, but rates for this sort of service are in the region of 100-125 USD per person, per annum. This translates into 3,700,000 USD in the case of Allina. If we add to this the 4,356,000 USD from costs and lost profit, we get a grand total of 8,056,000 USD.
This figure could be very different were Allina not to opt to cover the costs of monitoring. In the first place, lost profits would significantly increase. The use of account monitoring – an expensive but effective measure – has a positive effect on customer relations, leading to far fewer customers going elsewhere. What is interesting, however, is that had Allina not decided to pay for the costs of account monitoring, we would have had to add the cost of the loss to private citizens of identity theft – a sum which could have led to a figure much greater than the one above.
Clearly, the figures we have cited will not correspond to the facts on the ground in each and every case. But these values give a good idea of the scale of the damage and generally correspond to the reality of the situation.
