Hacking Becomes the Main Cause of Data Breaches

A recent study conducted by the Identity Theft Resource Center (ITRC) indicates that it is not the loss of devices that is the main cause of data breaches, but hackers breaking into networks to steal the valuable data that is held.

The company assessed the 419 reported data breaches from 2011 to determine the most common causes of data exposure and loss. The results of the survey should help HIPAA-covered entities divert resources to deal with the biggest threats to data security.

All of the known details of the 419 security breaches were assessed when compiling the report, with the main methods used by criminals across all industries being card-skimming attacks, which were at an all-time high. 26% of all data breaches were attributed to this method of attack, but the majority of attacks took place on non-financial businesses such as retailers, accounting for the high proportion of attacks using this method.

However, also a major cause was the transportation or transmission of data. When data is on the move, it is easier for criminals to access. 18% of data breaches occurred when data was in transit such as on portable storage devices, laptop computers, memory sticks or paper files. Insider theft caused 13% of data breaches. For the purposes of this study, hacking was defined as “a targeted intrusion into a data network.”

The 419 incidents exposed an estimated 22.9 million records, and 81% of malicious attacks exposed Social Security numbers. Overall, malicious attacks, including insider theft of data, accounted for 40% of all reported data breaches, while accidental disclosure of information caused 20% of breaches.

The healthcare industry was not the hardest hit in 2011, with that honor going to the government and armed services, which accounted for 44% of breach victims. Healthcare was third with 16% behind non-financial businesses on 33%. Hackers are currently targeting non-financial businesses due to the poor level of protection put in place to protect data, with that sector accounting for 17% of all breaches while 2% of hacking incidents affected the healthcare industry.

There is a considerable margin of error in these figures as only 52% of breach reports actually detailed the number of records that were exposed. The figure is undoubtedly considerably higher in industries without mandatory reporting requirements covering the number of breach victims.

The study only included data breaches which exposed particularly sensitive information such as driver’s license numbers, Social Security numbers, medical insurance IDs, bank account details and credit card numbers. Personally Identifiable Information, which can be used to commit identity theft, was not included in the statistics if no sensitive information was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.