Chronology of Data Breaches 2006: Analysis

Analysis prepared by Beth Rosenberg
of Sandstorm.net

	Private Sector (incidents n=126)	Public Sector (inc. military) (incidents n=114)	Higher Education (incidents n=52)	Medical Centers (incidents n=30)
Outside Hackers	15%	13%	52%	3%
Insider Malfeasance	10%	5%	2%	20%
Human/Software Incompetence	20%	44%	21%	20%
Theft (non-laptop)	15%	17%	17%	17%
Laptop Theft	40%	21%	20%	40%

Intra-Sector Incidents
% affected private-sector companies in Fortune 100
% affected private-sector companies in Fortune 500	9%
% US Federal agencies involved in public-sector breaches	23%
% US US Military agencies involved in public-sector breaches	19%

Incidents Involving Laptops	n=119 (37%)
% laptop theft where laptops were stolen from offsite	55%
% laptop theft where data was described as "encrypted" or "password-protected"	6%
% cases resulting in conviction/returned laptops	6%
Minimum number of PII potentially compromised by laptop theft	30,475,950

Incident Response
Number and % incidents with "unknown" data losses, in addition to the 100,400,000+ reported	n=80, 23%
Total number and % incidents where delta between incident and notification was reported	n=119, 37%
Mean/median of delta (in days)	44/21
# and % organizations unwilling or unable to produce "hard numbers" of records affected (slightly different than #21 above)	n=90, 28%

Web Site Mistakes
Number and % incidents in which PIIs were inadvertently posted to a publicly viewable Web site	n=28, 9%
Minimum number of PII compromised	1,240,572
% Web-based incidents in which an "unknown" number of PII were exposed	36%
% Web-based incidents in which offending data has reportedly been taken down	60%
% in which offending organization has refused to remove or modify data	7%

Total Number 2006 Reported Data Breach Incidents	327
Approximate Minimum Total # of PII Potentially Compromised in 2006	100,453,730
# Data-Breach Identity Thieves Sentenced in 2006	5
# Individual Victims of Sentenced Identity Thieves	238

Related Posts