Back to Press

39 Breaches in 1st Half of 2010

Experts Predict More Attacks, Higher-Value Targets

Linda McGlasson, Managing Editor, Bank Information Security, June 28, 2010 - Already in the first six months of 2010, financial institutions have been involved with more than half the total data breaches they suffered in 2009 - and experts don't see the pace decreasing.

"I always say that our data base list is the tip of the iceberg," says Linda Foley of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches.

Through June 25, there have been 325 reported data breaches so far in 2010 -- 39 of them involving financial services companies. The number of records reported taken thus far totals more than 8.3 million.

This means that in the first half of the year, there have already been more than half of the total 62 financial services industry-related breaches reported last year.

See an interactive timeline of 2010's data breaches.

Good News, Bad News

The good news is that financial services industry does not take the top spot for data breaches reported. Of all the breaches reported so far this year, only 11.1 percent involve financial services. The top three breached industries are:

* Business - 36 percent;
* Healthcare - 29.2 percent;
* Government, military - 16.9 percent.

At the bottom of the list is education, with only 7 percent of all breaches reported.

The increasing number of credit card-related breaches at businesses, retailers, hotels and restaurants is why the business sector is at the top of the list for breaches in the first half of the year, Foley says. "We're seeing a lot of retail, hotel and restaurants being hacked into somewhere between the point of sale and the card processing server," she says.

Foley attributes the rise in percentages of healthcare incidents to the recent enactment of federally-mandated breach reporting requirements. Increasingly, breaches are caused by hacking, insider theft, and a great deal of accidental loss, she adds -- especially in the healthcare industry, where missing laptops have increased in the first half 2010.

The real number of breaches isn't known. In talking with security companies that handle data breach notifications for companies that have been breached, Foley hears that there are a lot more breaches out there that go unreported.

2010 Breach Trends

Unlike last year, there is no major "headline" breach such as the Heartland Payment Systems hack -- the biggest ever reported.

Still, security and privacy experts see data loss trends remaining at about the same rate as 2009. David Navetta, a partner at the InfoLaw Group, sees the continued targeting of credit cards by criminal elements. "This probably also means more ACH fraud and attempts to breach the security of online banking," says Navetta,. He predicts there also will be many more social engineering-oriented attacks targeted "at social networks and individuals and companies that use them."

Larry Ponemon, president of Ponemon Research Institute, sees a continuing rise in healthcare breaches. Healthcare companies, including insurers, will see more data breaches because of new compliance requirements that demand greater vigilance and penalties for failing to properly notify breach victims, he says. "These new compliance requirements appear to have heightened privacy and data protection practices for healthcare providers and business associates."

Rick Kam, president and co-founder of ID Experts, a vendor that handles data breaches for companies that have been breached, says he is seeing a shift to new, more lucrative forms of ID theft and cyber crime. This includes medical ID theft and business ID theft. "Both forms of this crime have significantly more impact on the victims," Kam says. In the case of medical ID theft, health insurance numbers are compromised to provide access to healthcare services and prescription drugs. Business ID theft takes the form of spear phishing attacks on the CFOs of small and midsized companies to access corporate bank accounts, forge checks and steal intellectual property and trade secrets. "Many times we see the attacks reported as data breaches since state and federal notification laws require disclosure." Kam says.

More Attacks, High Value Targets

While there are fewer headline stories about financial institutions losing vast amounts of customer data, financial service companies are not experiencing any decrease in data breaches, says Ponemon. "My research suggests that financial institutions are particularly susceptible to automated agent attacks such as botnets, data-stealing malware and other advanced threats," he says, which means the economic impact, or cost of a data breach, is likely to increase for retail banks, credit card companies and other financial service businesses.

Kam says the scale of data losses continues to rise. "We've witnessed several large-scale breaches over the past few years (Heartland, Health Net, Express Scripts) where credit card, [health information], and other sensitive information was compromised," he says. Based on what Kam hears from law enforcement, cyber criminals are using sophisticated approaches to steal data and aggregate it to create more effective attacks. He thinks there will be more attacks on high-value targets that produce more losses this year than in 2009.