Journalists obtaining phone data

Interesting article on a phone “hacking” scandal. From what I can tell this was a case of widespread insider attacks and no “hacking” was involved.

http://www.guardian.co.uk/media/2011/jul/21/phone-hacking-operation-motorman-files

Intersting quotes:

Research by the lobbyists Big Brother Watch shows that between 2007 and 2010, 904 police officers and staff across Britain were subject to internal disciplinary offences for breaches of the Data Protection Act, which governs access to personal information. Of these cases, only 98 led to the dismissal of the person involved.

….

The offences include incidents where staff accessed sensitive information with the intent of passing it to third parties, as well as staff browsing material for personal interest. The records include 137 gross violations, defined as “serious breach of contractual terms … which makes any further working relationship and trust impossible”. Only 27 staff lost their jobs.

Google employee fired for looking at private data

Another incident of an employee being fired for looking at customer’s private data, this time at Google.

ITRC data theft report

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.