To follow up on my curiosity about what kind of year 2010 is turning out to be, I decided to use a primary source. Thanks to the cooperation of officials in Maine who responded promptly to my requests under Freedom of Information, I was able to obtain data on all breaches reported to them for this calendar year to date.
As background: Maine’s statutes require breach notification of breaches involving electronic data and use an “unauthorized acquisition” standard. Although financial institutions experiencing breaches are required to report to the state, the statute only applies to state-chartered banks and credit unions. Maine has approximately 30 state-chartered banks. Reportable breaches are reported to one of several state bureaus: Consumer Protection, Insurance, Financial Regulation, or Securities. There is no exemption for health care or HIPAA-covered entities, and health care insurers report breaches to the Insurance bureau.
General Findings
Maine has received information on at least 93 breaches so far this year. In stark contrast to the recent Verizon report indicating that financial sector breaches accounted for over 90% of compromised records and 33% of all breaches in the merged Verizon-USSS dataset, there have been no reports from banks or credit unions in Maine so far this year. Although that may sound surprising, it is not as surprising when compared to last year’s figures when they received 2 reports from banks for the whole year. Of course, this doesn’t mean that there haven’t been any breaches affecting the financial sector, merely that there have been no reports from covered banks. The Securities bureau has received 3 reports so far this year, two of which were also submitted to Consumer Protection. The Insurance bureau has received 4 reports so far this year. The vast majority of the breach reports were submitted to the Consumer Protection Bureau.
Of the reported breaches, 58 of the incidents had previously been noted on DataBreaches.net or PHIprivacy.net, although for many of them, there were — and continue to be — no individual breach reports with sufficient details. Table 1 (pdf) summarizes these breach incidents with links to both the report to Maine and its previous coverage or note on my sites.
Table 2 (pdf) summarizes the 35 breach reports received by Maine this year that were either never reported in the media or on this site before. While a few of the breaches reported in Table 2 might have affected a large number of individuals, the total numbers were not reported and there was insufficient data to perform certain analyses. The 35 new incident reports involved included: Ameriprise Financial, Association of American Medical Colleges, Circle Graphics, CTi, Erikson’s Institute, FedComp, Frontier Insurance, Fujitsu America, H&R Block, Herzing Online University, Integrity Applications, InterMedia Outdoors, National Treasury Employees Union, Olive Garden, Pines Health Services, PureStyle Girlfriend, SportDOG, Time Inc., UniFund, USAA Federal Savings Bank, and Vance Gray Wealth Management.
Some observations on the 93 breaches reported to Maine since the beginning of this year:
- 47 incidents were reported as HACKS (51%). Four of these specifically cited malware, but information/details were not available for many of the hacking incidents.
- 10 incidents involved LOST/MISSING devices or records (11%). Of these, three involved loss by an employee, while the other 7 involved loss by carriers or third parties.
- 14 involved THEFT (15%). These included two incidents where laptops were stolen from vehicles, eight incidents of thefts from the organization’s offices, two thefts off-site, one theft from a field representative’s office, and one theft where the location was not reported.
- 14 incidents involved a Subcontractor, Affiliate, or Carrier (15%). Of these, 8 involved lost/missing incidents, 1 involved a burglary, 2 involved printing errors, and 3 involved employee misconduct.
- 7 incidents involved EMPLOYEE MISCONDUCT (8%). Four of these involved employees of the organization, while 3 involved employees of affiliates or vendors.
- 10 other incidents involved EMPLOYEE ERROR resulting in exposure (11%). These incidents included web exposure, accidental attachment of sensitive information to e-mails, etc. They do not include the 3 incidents where employees lost information. If those were included, the employee non-malicious error category would account for 14% of all reports. When employee conduct, error, and loss are combined, employee involvement was identified in 22% of reports. It is important to note that we cannot assume that employees were not involved in numerous hack/compromised systems reports where no details were provided, so the 22% may be an underestimate.
- The Financial Services sector reported 17 incidents (18%). This appears significantly less than what we might expect based on the Verizon and Digital Forensic studies.
- Businesses and Retail accounted for 57 incidents (61%), which is consistent with the studies’ findings. Of that figure, the Hospitality subsector had 18 incidents (19% of all breach reports). The hospitality sector represents a smaller percentage than I would have expected based on a Trustwave report and the two new studies.
Because there was so much information missing, it did not make sense to try to analyze records exposed or compromised.
Copies of the breach reports provided by Maine are being sent to the Open Security Foundation for the Primary Sources project, so hopefully, these should all also be available on their site as well as this one.