16 July 2014

US Data Breach Metrics

The 24 page Information Exposed: Historical Examination of Data Breaches in New York State report [PDF] from the state Attorney General's office drew on mandatory reporting in offering some metrics on data breaches in the US.

A corresponding tabulation and analysis by government in Australia would be welcome.

The Attorney General comments that
the number of reported data security breaches in New York more than tripled between 2006 and 2013. As a result, in just eight years, the number of victims in New York has exploded. Over 22 million personal records have been exposed since 2006, jeopardizing the financial health and well-being of countless New Yorkers and costing the public and private sectors in New York — and around the world — billions of dollars. … 
Nearly 5,000 individual data breaches were reported to the NYAG by businesses, nonprofits, and government entities between 2006 and 2013. Together, these breaches exposed 22.8 million personal records of New Yorkers. The number of data security breaches reported annually to the NYAG more than tripled between 2006 and 2013 – and 2013 was a record-setting year, during which 7.3 million records of New Yorkers were exposed. So-called mega-breaches are also becoming increasingly common: Five of the ten largest breaches reported to the NYAG have occurred since 2011. 
In 2013, data breaches cost entities conducting business in New York upward of $1.37 billion. The overall cost of data security breaches is nothing short of staggering: In 2013 alone, breaches are estimated to have cost organizations doing business in New York State over $1.37 billion. Hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches among organizations conducting business in New York State, accounting for roughly 40 percent of all breaches between 2006 and 2013. Hacking attacks are driven primarily by the black-market value of personal information, which can fetch up to $45 per record. Reports of insider wrongdoing and inadvertent exposure have increased over the past eight years, with incidents of insider wrongdoing reaching their highest level in 2013. Although instances of lost or stolen equipment/documentation declined in recent years, these incidents are responsible for a significant portion of data breaches and personal record loss since 2006
Among other statistics the report claims that the 'retail services' sector was most likely to experience (or report?) a data breach, with estimated exposure as follows
Retail Services (54 reported breaches) - 163,319 people 
Financial Services (31) 624,000 
Health Care (29) 1,012,269 
Banking (27) 560,208 
Insurance (20) 72,138 
Professional Services (16) 788,280 
Educational Inst. (15) 103,787 
Government Agency (14) 86,548 
Loan Services (9) 133,866 
Hospitality (8) 16,091 
Technology (7) 13,195 
Telecommunications (4) 80,963 
Credit Reporting (3) 3,120 
Credit Card Company (2) 237,296 
Nonprofit (1) 507 
Public Utility (1) 50,456