BreachBytes

Robert Vamosi has a nice overview of two recent reports on his Defense in Depth blog, the first on data breaches and the second on identity theft. The interesting figures from both reports: 9/10 breaches could have been prevented by following best practices and 57% of identity thieves use the information to open new lines of credit (not too surprising).

A summary of the Verizon report on data breaches is available here while the entire report can be found here as a PDF. Likewise, a summary of the identity theft report can be found here and the full version here as a PDF.

Yesterday we reported on a breach involving 4.2 million credit card numbers at an unnamed retailer. Turns out the retailer is Hannaford Bros. grocery stores. The AP is reporting on the story but has little detail beyond what was available yesterday. Although this is not a breach at the TJX level, the compromise of 4.2 million customer credit card numbers is nothing to take lightly.

Just when it started to seem that 2008 was going to be a better year than 2007 for data breaches, the Massachusetts Banking Association is notifying its members of a major data breach at an unnamed retailer. Boston Business Journal is reporting on the breach. According to the article, between 60 and 70 banks have been contacted by Visa and Mastercard. As of this time the retailer involved has not been named , although this is sure to change very soon. This smells of last year’s well-documented TJX breach and subsequent fallout. It remains to be seen if this story will pick up steam like TJX did, but if the retailer is a well-known company it could well be TJX2. From the article:

“The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and it is urging consumers to monitor their accounts,” the statement said.

We will follow up on this story as more details emerge.

According to SC Magazine Australia, MTV experienced a breach compromising the confidential information of over 5,000 employees.

…it appears an employee may have fallen victim to a social engineering trick that allowed a trojan to be installed on his or her machine.”

Interestingly, more and more breaches are as a result of tactics to dupe unsuspecting employees with access to corporate credentials as is the case with this latest breach.

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes - across all three years - it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

(more…)