Chronology of Data Breaches 2006: Analysis

 


 
Analysis prepared by Beth Rosenberg
of Sandstorm.net

 
 Private Sector
(incidents n=126)
Public Sector
(inc. military) (incidents n=114)
Higher Education
(incidents n=52)
Medical Centers
(incidents n=30)
Outside Hackers
15%
13%
52%
3%
Insider Malfeasance
10%
5%
2%
20%
Human/Software Incompetence
20%
44%
21%
20%
Theft (non-laptop)
15%
17%
17%
17%
Laptop Theft
40%
21%
20%
40%
 
Intra-Sector Incidents    
% affected private-sector companies in Fortune 100    
% affected private-sector companies in Fortune 500
9%
   
% US Federal agencies involved in public-sector breaches
23%
   
% US US Military agencies involved in public-sector breaches
19%
   
 
Incidents Involving Laptops
n=119 (37%)
   
% laptop theft where laptops were stolen from offsite
55%
   
% laptop theft where data was described as "encrypted" or "password-protected"
6%
   
% cases resulting in conviction/returned laptops
6%
   
Minimum number of PII potentially compromised by laptop theft
30,475,950
   
 
Incident Response    
Number and % incidents with "unknown" data losses, in addition to the 100,400,000+ reported
n=80, 23%
   
Total number and % incidents where delta between incident and notification was reported
n=119, 37%
   
Mean/median of delta (in days)
44/21
   
# and % organizations unwilling or unable to produce "hard numbers" of records affected (slightly different than #21 above)
n=90, 28%
   
 
Web Site Mistakes    
Number and % incidents in which PIIs were inadvertently posted to a publicly viewable Web site
n=28, 9%
   
Minimum number of PII compromised
1,240,572
   
% Web-based incidents in which an "unknown" number of PII were exposed
36%
   
% Web-based incidents in which offending data has reportedly been taken down
60%
   
% in which offending organization has refused to remove or modify data
7%
   
 
Total Number 2006 Reported Data Breach Incidents
327
   
Approximate Minimum Total # of PII Potentially Compromised in 2006
100,453,730
   
# Data-Breach Identity Thieves Sentenced in 2006
5
   
# Individual Victims of Sentenced Identity Thieves
238