DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Breaches: Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of $156.7 Billion

Posted on September 8, 2011 by Dissent

I’m still playing catch-up with everything I missed thanks to NatGrid’s profound incompetence in restoring power after a tropical storm knocked us offline. Here’s a press release I had missed:

The Digital Forensics Association announces the release of their second annual data breach report. “The Leaking Vault 2011- Six Years of Data Breaches” analyzes 3,765 data loss incidents, with a known disclosure of 806.2 million records.

Organizations seem to be in the news on a daily basis for disclosing data inappropriately. Hundreds of millions of people’s personal private information has been lost, stolen or otherwise shared with unauthorized parties. The problem of data breaches is one that potentially impacts the economic health of the victim organizations, upstream or downstream partners, and the data subjects who face direct financial consequences.

Key findings include:

The Leaking Vault 2011 presents data gathered from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 people’s records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Laptop vector remains the leader in incidents, but the Documents vector (printed material) is fast growing and demonstrates the need to manage both electronic data assets as well as printed documents. This vector has been trending upward for several years and is a potential contender for the incident leader if it continues.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study. The Drive/Media vector is in second place with the Web vector in third.

Outsiders continue to pose the largest risk in terms of both incidents and records disclosed. When the threat actor is an insider, the incident is significantly more likely to be accidental in nature. While accidental incidents are more prevalent, they also cause the most harm of the insider incidents in terms of records disclosed.

In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number. In contrast, only 15% of the incidents disclosed Credit Card Numbers, and 16% disclosed medical information. Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report. The two vectors most likely to show criminal use were the Fraud-SE and Hack vectors.

A complete copy of “The Leaking Vault 2011- Six Years of Data Breaches” is available at: http://dfa.squarespace.com/storage/The_Leaking_Vault_2011-Six_Years_of_Data_Breaches.pdf

A quick perusal of the report indicates that its analyses are based on data collected by the Open Security Foundation DataLossDB.org project, the Privacy Rights Clearinghouse, and the Identity Theft Resource Center. This blog, my companion blog for healthcare sector breaches (phiprivacy.net) and I fuel all three of those sources – PRC and ITRC rely heavily on my blogs and I’m  a moderator/curator for DLDB. If you’d like to conduct your own analyses of the more than 4,500 breaches in DLDB, contact OSF for licensing arrangements and use.

In the meantime, if you know of a breach I’ve missed – which becomes increasingly likely these days given all the hacks and leaks – please do let me know by email to breaches[at]databreaches.net or tweet it to @pogowasright. Thanks!

Related posts:

  • Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to New Ponemon Study
  • Three breach reports, three sides of the elephant?
  • Health Data Breaches in 2017: The Year in Review
Category: Commentaries and Analyses

Post navigation

← NC: Court upholds dismissal of OMH lawsuit
Hong Kong Introduces a Personal Data (Privacy) Amendment Bill →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.