| Private Sector (incidents n=126) | Public Sector (inc. military) (incidents n=114) | Higher Education (incidents n=52) | Medical Centers (incidents n=30) |
Outside Hackers | 15% | 13% | 52% | 3% |
Insider Malfeasance | 10% | 5% | 2% | 20% |
Human/Software Incompetence | 20% | 44% | 21% | 20% |
Theft (non-laptop) | 15% | 17% | 17% | 17% |
Laptop Theft | 40% | 21% | 20% | 40% |
|
Intra-Sector Incidents | | | | |
% affected private-sector companies in Fortune 100 | | | | |
% affected private-sector companies in Fortune 500 | 9% | | | |
% US Federal agencies involved in public-sector breaches | 23% | | | |
% US US Military agencies involved in public-sector breaches | 19% | | | |
|
Incidents Involving Laptops | n=119 (37%) | | | |
% laptop theft where laptops were stolen from offsite | 55% | | | |
% laptop theft where data was described as "encrypted" or "password-protected" | 6% | | | |
% cases resulting in conviction/returned laptops | 6% | | | |
Minimum number of PII potentially compromised by laptop theft | 30,475,950 | | | |
|
Incident Response | | | | |
Number and % incidents with "unknown" data losses, in addition to the 100,400,000+ reported | n=80, 23% | | | |
Total number and % incidents where delta between incident and notification was reported | n=119, 37% | | | |
Mean/median of delta (in days) | 44/21 | | | |
# and % organizations unwilling or unable to produce "hard numbers" of records affected (slightly different than #21 above) | n=90, 28% | | | |
|
Web Site Mistakes | | | | |
Number and % incidents in which PIIs were inadvertently posted to a publicly viewable Web site | n=28, 9% | | | |
Minimum number of PII compromised | 1,240,572 | | | |
% Web-based incidents in which an "unknown" number of PII were exposed | 36% | | | |
% Web-based incidents in which offending data has reportedly been taken down | 60% | | | |
% in which offending organization has refused to remove or modify data | 7% | | | |
|
Total Number 2006 Reported Data Breach Incidents | 327 | | | |
Approximate Minimum Total # of PII Potentially Compromised in 2006 | 100,453,730 | | | |
# Data-Breach Identity Thieves Sentenced in 2006 | 5 | | | |
# Individual Victims of Sentenced Identity Thieves | 238 | | | |