Archive for August, 2012

Accused LulzSec Hackers Attended College Together

Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)

Two men who’ve been arrested on charges that they hacked into the website of Sony Pictures Entertainment and posted stolen data studied together at the same university, and they also participated on the university’s team for the Cyber Defense Competition held in March 2011, according to a former co-captain of the team.

The attack against the Sony Pictures Entertainment website and subsequent data leakage was carried out under the banner of LulzSec–a.k.a. Lulz Security–between May 27 and June 2, 2011, by hackers using the handles “Recursion” and “Neuron.” According to court documents, the attackers used a VPN service in an attempt to mask their activities, and later boasted of having compromised the Sony website by using a single SQL-injection attack.

An indictment unsealed in September 2011 charged Cody Kretsinger, then 23, with being Recursion. After entering a not-guilty plea, Kretsinger pled guilty to all of the charges against him, and is due to be sentenced on October 25.

This week, meanwhile, the FBI announced the arrest of Raynaldo Rivera, 20, after he was recently indicted by a federal grand jury on charges of conspiracy and the unauthorized impairment of a protected computer. The indictment accused him of being Neuron, and singled him out for having posted part of the customer data stolen from the Sony website.

[ Want to hear top execs from Google, Ford, PG, General Motors, and SAP discuss enterprise innovation? Join us at the IW 500 Conference Sept. 9 to 11. ]

Both men were arrested in Phoenix, and it turns out that at the time of the attacks against Sony, both men were students at University of Advancing Technology (UAT) in Tempe, Ariz., and either members of–or practiced with–the UAT team that competed in the three-day Western Regional Collegiate Cyber Defense Competition in March 2011.

UAT didn’t immediately respond to a request for comment, emailed outside of working hours, on Rivera’s connection with the university. But according to news reports, Kretsinger began pursuing a network-security degree at UAT in August 210, and in July 2011 was named as student of the month, saying that “a job with the NSA or Department of Defense is my ultimate dream.”

According to Steve Durham–who uses the handle “Yawg”–and who formed and co-captained the 2011 Collegiate Cyber Defense Competition team with the university, Kretsinger was the team’s Cisco administrator, while Rivera volunteered as a member of the Red team against which the university’s team practiced.

According to a news story about the 2011 Cyber Defense Competition published on the UAT website, the school’s 11-strong team placed third out of six universities, and while at the conference students enjoyed “face-time with network security professionals from companies like Boeing, CIA and BlackBag Technologies for potential jobs and internships.”

At the competition, team members “acted as a Blue team to restore services to a fictional, vulnerable enterprise–in this case, the United States Security and Exchange Commission,” according to the UAT story. “Contestants had computers and network equipment at their disposal to create a backup data response center to protect data and reestablish communications and IT services.”

Meanwhile, the Blue team was directly challenged by “network attacks from Red team cyber terrorists and theoretical physical threats,” it said. “The students worked around the clock to counter hacker threats–including an undetected programmed script that changed passwords–and reintroduce components like email amenities via injections. Teams were judged based on their timeliness to solve problems.”

To be clear, Durham said he has no idea that Kretsinger or Rivera might be committing any illegal activities. “I mean, I had a good idea that they did things like this for fun (I cannot confirm or deny that a majority of netsec students everywhere, not just [at] UAT, partake in activities like this on some level), but never imagined it would be something this big,” he said via email.

Between January and May 2011, Durham said he and Kretsinger “talked about things like SQL injection, proxies, exploits and social engineering when we took our smoke breaks (as far as I can recall it was just Cody and I smoking while the red team we practiced with would join us).”

Meanwhile, in a screen grab of a Facebook page shared by Durham, Rivera introduced himself to the UAT Network Security Students group on October 19, 2010, with the following message: “O hi im Royal and im a addict. Im probably going to be the first one arrested at uat for computer related crimes.”

“Looks like he was off by one,” said Durham.

InformationWeek has published a report on backing up VM disk files and building a resilient infrastructure that can tolerate hardware and software failures. After all, what’s the point of constructing a virtualized infrastructure without a plan to keep systems up and running in case of a glitch–or outright disaster? Download our Virtually Protected report now. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=a794f49b8ba31c04cc2d7f21089bbcfe

No Comments

FinFisher Mobile Spyware Tracking Political Activists

11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)

Spyware developed and sold by U.K.-based Gamma Group can infect BlackBerrys, iPhones, and other mobile devices, and is being used to actively target dissidents in countries governed by autocratic regimes.

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via “silent calls,” as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs’ Citizen Lab.

According to The New York Times, Google engineer Morgan Marquis-Boire and Ph.D. student Bill Marczak volunteered to help tear down the spyware, which had been sent to three activists in the Gulf state of Bahrain, and found that it was FinFisher.

According to their resulting analysis, the iOS version of the FinFisher spyware “appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up,” according to the Citizen Lab study. The software is signed by an Apple-generated developer’s certificate assigned to Martin Muench, who The New York Times has reported is managing director of Gamma International as well as head of its FinFisher product portfolio.

[ Learn more about new malware. Read Java Zero-Day Malware Attack: 6 Facts. ]

Meanwhile, the Citizen Lab said it’s also recovered versions of the spyware that target the BlackBerry OS, Windows Mobile, Nokia’s Symbian platform, as well as Android. It said that it’s seen “structurally similar” Android spyware communicating with command-and-control servers in the United Kingdom and the Czech Republic.

Earlier this year, a study from Rapid7 identified FinSpy–the control software for FinFisher command-and-control servers–as being active in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the UAE, and the United States.

“We have identified several more countries where FinSpy command and control servers were operating,” according to the Citizen Lab. “Scanning has thus far revealed two servers in Brunei, one in Turkmenistan’s Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain.” But according to news reports, some of those servers appear to have been taken offline in the wake of the report.

Gamma Group’s business practices have been drawing scrutiny from human rights activists, especially after last year, when Egyptian protesters who took over state security headquarters purportedly found documents from Gamma Group offering to sell FinFisher to the Mubarak regime.

According to the Gamma Group website, “the FinFisher product portfolio is solely offered to Law Enforcement and Intelligence Agencies.” The company also claims that it doesn’t sell software to the Gulf state of Bahrain, where the ruling regime has been accused of perpetuating a string of human rights violations, especially involving police forces putting down anti-government protests.

In the wake of the Citizen Lab’s report, Muench at Gamma Group told Bloomberg via email that the firm was investigating whether the spyware used by Bahrain was a stolen demonstration copy, saying it was likely “that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere.”

Gamma Group later issued a statement claiming that a sales demonstration server had been hacked into, and code stolen. “The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.”

Security and privacy researcher Christopher Soghoian, via Twitter, likened the company’s claim to being “the dog ate my homework for surveillance tech vendors.”

Security experts have criticized software firms that create and market software such as FinFisher, saying it’s too difficult to police how the software may be used. “While the U.K. based software company behind FinFisher claims it’s merely helping law enforcement do their job, the potential for bad actors to co-opt the technology for their evil ends is all too real,” said security researcher Cameron Camp at ESET in a blog post.

“Consider what happened to DarkComet RAT which we looked at here on the blog a few months ago,” he said. “Like FinFisher, DarkComet RAT has extensive espionage capabilities and the author claims to have no malicious intentions. But the genocidal Assad regime in Syria was quick to use DarkComet RAT against Syrians seeking freedom from oppression.”

Many security vendors, meanwhile, have responded to the FinFisher revelations by noting that their products will block any spyware products they know about and can detect, regardless of which government may have launched it. “We detect all malware regardless its purposeorigin,” said Kaspersky Lab chief Eugene Kaspesrky via Twitter

But until researchers Marquis-Boire and Marczak found active samples of FinFisher in May, security firms hadn’t managed to get their hands on a real copy of the spyware or create signatures to stop it.

Mobile employees’ data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=b53ec404e0d499bcb0a78564704b71c3

No Comments

Imation shines light on scale of NHS data breaches

Private file

Private filegallery

The number of data breaches involving NHS trusts has shot up by 935 per cent over the past five years, according to figures released by the Information Commissioner’s Office (ICO).

The data, obtained by storage vendor Imation via a Freedom of Information request, revealed a marked rise in the number of self-reported breaches taking place in the public and private sector since 2007.

For example, over this time period, the number of breaches involving local government and other public sector organisations has increased by 1,609 per cent and 1,380 per cent, respectively.

Meanwhile, private sector data breaches have rocketed by 1,159 per cent between 2007 and 2012.

The figures also revealed that, during the second quarter of 2012, the NHS suffered the highest number of data breaches (61), closely followed by local government (59) and general business (26).

The NHS has repeatedly come under fire in recent years for data protection failures and, several months ago, a health trust received a record £325,000 data breach fine from the ICO.

Nick Banks, head of EMEA and APAC at Imation Mobile Security, said the findings suggest the threat of ICO fines is doing little to encourage people to take better care of their data.

“Undoubtedly there are some mitigating circumstances which have contributed to the rise in annual data breach numbers, such as the introduction of mandatory reporting in certain sectors, plus the increasing amounts of data being stored and accessed,” said Banks.

“But none of these factors obscures the clear trend of constant increases.”

In a statement to IT Pro, an ICO spokesperson said the figures suggest that more companies are self-reporting breaches than ever before, rather than losing data.

“Clearly, for many organisations, further work is still required to ensure security breaches do not occur in the first place,” the spokesperson added.

Email to a friend

Print this page

Article source: http://www.itpro.co.uk/642601/imation-shines-light-on-scale-of-nhs-data-breaches

,

No Comments

Could hijackers hold your electronic medical records for ransom?

by Erica Cohen

With data breach issues plaguing even the largest of companies, individuals are understandably concerned that their personal information could be leaked to unauthorized users. Release of personal health information is especially concerning because of the information’s private nature. 

However, your medical records also face another kind of risk. Someone could “kidnap” them and hold them for ransom. That someone could make it so that no one, not even your doctor, can access crucial information like your lab results and exam history.

This is not fantasy. It is what happened to patients at Surgeons of Lake County medical facility in Libertyville, Illinois. Hackers delved into the deepest droves of the facility’s computer system and infiltrated the server where the facility stored emails and electronic health records (EHR). Then they added their own layer of encryption to lock the records up from view and demanded ransom in return for freeing them. 

This isn’t the first time EHRs have been hijacked and held for ransom. Another incident occurred in 2008 when extortionists contacted pharmacy benefits company Express Scripts demanding “millions of dollars” in exchange for the return of 75 electronic patient records. Just one month prior to that, the FBI arrested a man for allegedly stealing a computer server from Medical Excess, LLC, a subsidiary of AIG, and trying to extort $208,000 by threatening to release private health information on more than 900,000 patients.

Since the Department of Health and Human Services’ Office for Civil Rights began publicly disclosing large health data breaches two years ago, 21 million individuals have reportedly been affected by large health data breaches of one sort or another.

With the promise of financial incentives for “meaningful use” of EHR technology under federal legislation, medical facilities are scrambling to implement systems before the end of 2012 – the deadline to earn the maximum incentive payment. Although there are plenty of benefits to EHR systems – the ability for multiple providers to access your records to avoid duplication of tests and labs, potential reduction in medication errors, and avoidance of illegible handwritten orders – there are plenty of concerns as well. One of the main concerns is the vulnerability of data hosted electronically. 

In order to prevent an escalation of data breaches, it is essential for federal and state governments to develop stringent standards to ensure encryption of private health information. Currently, the federal HIPAA law, which governs data privacy, does not require providers to encrypt their records. Although hackers may still be able to access encrypted files and layer an additional level of encryption, thereby preventing access by appropriate personnel, requiring encryption would at least prevent hackers from accessing the actual records themselves.

Medical facilities should be required to have extensive back-up and contingency plans in the event their systems fail, a hacker takes over their systems, or for some other reason they are unable to access patient records. Although HIPAA provides for some measure of accountability, recent incidents show that it is only a start.

Erica Cohen is a third-year law student concentrating in health law at Drexel University Earle Mack School of Law. Prior to law school, she worked for DKMS Americas, the world’s largest bone marrow donor center. She currently works as a legal intern in the Office of General Counsel at the Children’s Hospital of Philadelphia.

Article source: http://www.philly.com/philly/blogs/healthcare/Could-hijackers-hold-your-electronic-medical-records-for-ransom.html

,

No Comments

Beazley Enhances Suite of Data Breach Products for Businesses

Beazley has unveiled major enhancements to its Beazley Breach Response (BBR) product.  Launched over three years ago, BBR includes a separate limit of coverage for breach response services, and Beazley recently announced the creation of BBR Services, a dedicated business unit to help clients manage data breaches successfully – again a first in the insurance industry.

The latest product enhancements include support for the victims of data breaches in the form of credit monitoring and identity monitoring provided by Experian Data Breach Resolution.  For a breach involving the compromise of personal information, BBR clients now may choose to offer notified individuals either:

  • Experian’s ProtectMyID identity protection tools, as well as Family Secure monitoring products available for any minors involved in a breach; or
  • DataPatrol, an Internet based data monitoring service provided by Experian.  Every month DataPatrol monitors millions of unsecure web pages to detect lost or stolen personal and financial information that may put affected individuals at risk of identity fraud.

In addition, Beazley has introduced a number of further enhancements to BBR:

  • The attorney services retention for privacy breach response services has been lowered to $5,000, making it easier for BBR clients to access Beazley’s panel of legal counsel (firms selected for their deep experience in data breach laws and regulations).  This retention previously stood at between $10,000 and $20,000.
  • Coverage is now offered for up to five million customer notifications in the event of a data breach involving personally identifiable data.  The previous limit was four million notifications.
  • Retail and hospitality organizations with revenues of up to $4 billion will qualify now for BBR.  (The previous ceiling was $3 billion).

With these enhancements, clients can customize BBR to their own specific needs, with notification limits available from $250,000 to $5 million and a separate limit of liability for third party claims available from $1 million to $15 million.  For smaller organizations, the BBR Select product also offers lower notification and liability limits.

Article source: http://www.insurancejournal.com/news/national/2012/08/31/261396.htm

,

No Comments

Indiana Cancer Group Data Breach Affects About 55000 People

Cancer Care Group, an Indianapolis oncology practice that treats and manages patients using radiation therapy, has reported a data breach affecting approximately 55,000 individuals, including patients and employees.

Operating in 21 locations within Indiana, Cancer Care Group provides treatment, research, education and training in oncology.

On July 19 a laptop computer bag was stolen from an employee’s locked vehicle, the oncology organization reported. The physician group announced the breach on Aug. 28.

A spokesman for Cancer Care Group declined to comment beyond information in the company’s news release.

Data stored on server backup media in the laptop computer bag included patients’ names, addresses, Social Security numbers, dates of birth, medical record numbers and insurance information.

The backup device also contained data on Cancer Care Group employees, such as dates of birth, Social Security numbers, beneficiary names and employment data.

The affected data was for billing purposes only, according to the Cancer Care Group.

“There is no evidence to believe that the backup media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes,” the organization reported in a statement on its Website. “Cancer Care Group assures its patients and employees that it took immediate steps to investigate and attempt to recover the backup media.”

The organization has filed a police report and notified patients and employees.

Steps the Cancer Care Group will take to secure health care data in the future include encrypting mobile storage devices, upgrading data storage equipment, and revising policies and procedures, the organization reported.

“Cancer Care Group deeply regrets that this occurred,” the group stated. “We are committed to excellent care and protecting the privacy of personal information.”

The organization has posted the toll-free number 866-264-1049 for further information on the breach.

Cancer Care Group’s incident is the fourth-largest health care breach this year, according to Healthcare IT News.

On April 18 Emory Healthcare in Atlanta reported the loss of 10 backup disks containing data on 315,000 surgical patients. The disks were unencrypted and stored in an unlocked cabinet.

On March 30, a hacker from Eastern Europe put about 280,000 Social Security numbers for Medicaid claims at risk by hacking a Utah Department of Technology Services server. That incident involved health data for Medicaid and Children’s Health Insurance Plan patients. In addition to those patients whose Social Security numbers were stolen, 500,000 others were affected in the Utah incident.

Recent health care data breaches highlight a need for more investment in security by health care organizations, according to Judy Hanover, research director at IDC Health Insights. Audits of security practices and vulnerabilities are also necessary, she said.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, incidents involving 500 or more people must be reported to the U.S. Department of Health and Human Services and to the news media. The 2009 HITECH law strengthened breach-reporting measures under the Health Insurance Portability and Accountability Act (HIPAA), which governs the release of protected health information.



Article source: http://www.eweek.com/c/a/Health-Care-IT/Indiana-Cancer-Group-Data-Breach-Affects-About-55000-People-699631/

,

No Comments

Toyota Employee Allegedly Hacked, Stole Confidential Information

Investigation is now underway into whether a computer programmer allegedly stole proprietary information from the automaker Toyota and “sabotaged” the company’s supplier computer network after being terminated last week.

According to a complaint filed late last week (.PDF) in the U.S. District Court of Lexington, Ibrahimshah Shahulhameed “sabotaged various internal programs” at Toyota Motor Manufacturing, Inc., in Georgetown, Ky. In doing so, Shahulhameed allegedly caused the network to crash, brought ToyotaSupplier.com offline and “downloaded proprietary and confidential information for his own improper use.”

Toyota claims the information on ToyotaSupplier.com is “highly confidential” and includes Toyota Motor Engineering amp; Manufacturing Complaint (.PDF)Toyota Motor Engineering Manufacturing Complaint (.PDF)pricing, quality and parts testing data along with proprietary design information belonging to the automaker. The site acts as an intermediary for Toyota, its dealerships and other car suppliers.

According to the complaint, Shahulhameed, who was doing contract work through Wisconsin-based GlobalSourceIT, was let go from the car manufacturer on Aug. 23, yet allegedly infiltrated the system at midnight that night and continued to work until 6:30 a.m. Aug. 24.

U.S. District Judge Karen Caldwell issued a restraining order (.PDF) last Friday prohibiting Shahulhameed from “accessing, using, or disseminating” any of Toyota’s property and trade secrets he may have accessed. Judge Caldwell followed that up on Monday with an order that bars (.PDF) Shahulhameed from leaving the country for fourteen days as the court and Toyota continue to review the case.

“It will take days for Toyota’s IT department to determine the full extent of its damage as a result of [Shahulhameed’s] efforts to sabotage its system,” reads one part of the complaint, submitted by Toyota’s Lexington area lawyer Mindy Barfield.

Commenting on this Article will be automatically closed on December 1, 2012.

Article source: http://threatpost.com/en_us/blogs/toyota-employee-allegedly-hacked-stole-confidential-information-083112

No Comments

Info of 55K Patients Stolen from Indianapolis Cancer Practice

The Cancer Care Group, an oncology practice based in Indianapolis, claims it will improve its storage and data security practices going forward after a laptop containing the sensitive information of about 55,000 of its patients was stolen last month.

The laptop, which contained backup media from the clinic’s computer server, was taken from the locked vehicle of an employee on July 19.

According to a post on its website, the backup media included patient demographic information, including their names, addresses, date of birth, Social Security numbers, medical record numbers, insurance information and minimal clinical information the firm claims was used for billing purposes only. Employees’ information, including their date of birth, social security numbers, beneficiary names and other “employment and/or financial data,” were also stolen.

The Cancer Care Group claims that while the backup media has yet to be retrieved, there’s no proof the information has been used or exploited yet. The practice has vowed to encrypt its mobile media going forward and has made plans to update policies and procedures, upgrade data storage technology and better inform its employees on how to safely handle its media.

Commenting on this Article will be automatically closed on December 1, 2012.

Article source: http://threatpost.com/en_us/blogs/info-55k-patients-stolen-indianapolis-cancer-practice-083112

No Comments

Beazley Announces Major Enhancements to its Suite of Products Designed to …

SAN FRANCISCO, Aug. 30, 2012 /PRNewswire/ — Beazley has unveiled major enhancements to its highly successful Beazley Breach Response (BBR) product.  Launched over three years ago, BBR has gained widespread recognition as the most comprehensive and effective solution available to the often challenging task of responding successfully to a data breach.  BBR was the first such offering to include a separate limit of coverage for breach response services, and Beazley recently announced the creation of BBR Services, a dedicated business unit to help clients manage data breaches successfully – again a first in the insurance industry.   

The latest product enhancements include support for the victims of data breaches in the form of sophisticated credit monitoring and identity monitoring provided by Experian Data Breach Resolution.  For a breach involving the compromise of personal information, BBR clients now may choose to offer notified individuals either:

  • Experian’s ProtectMyID® identity protection tools, as well as Family Secure®monitoring products available for any minors involved in a breach; or
  • DataPatrol™, an Internet based data monitoring service provided by Experian®.  Every month DataPatrol monitors millions of unsecure web pages to detect lost or stolen personal and financial information that may put affected individuals at risk of identity fraud.

In addition, Beazley has introduced a number of further enhancements to BBR:

  • The attorney services retention for privacy breach response services has been lowered to $5,000, making it easier for BBR clients to access Beazley’s panel of legal counsel (firms selected for their deep experience in data breach laws and regulations).  This retention previously stood at between $10,000 and $20,000.
  • Coverage is now offered for up to 5,000,000 customer notifications in the event of a data breach involving personally identifiable data.  The previous limit was 4,000,000 notifications.   
  • Retail and hospitality organizations with revenues of up to $4 billion will qualify now for BBR.  (The previous ceiling was $3 billion).    

With these enhancements, clients can customize BBR to their own specific needs, with notification limits available from 250,000 to 5,000,000 and a separate limit of liability for third party claims available from $1 million to $15 million.  For smaller organizations, the BBR Select product also offers lower notification and liability limits.

Mike Donovan, head of the technology, media and business services team at Beazley, which underwrites BBR, said:

“Since its successful introduction over three years ago, we have continually developed and enhanced our breach response product to help our clients keep pace with evolving breach exposures.  These new coverage enhancements – combined with the creation of BBR Services – will ensure that our clients have instant access to the services they need to safeguard their reputations in the event of a breach.”

Note to editors: Beazley plc (BEZ.L), is the parent company of specialist insurance businesses with operations in Europe, the US, Asia and Australia.  Beazley manages five Lloyd’s syndicates and, in 2011, underwrote gross premiums worldwide of $1,712.5 million.  All Lloyd’s syndicates are rated A by A.M. Best. 

Beazley’s underwriters in the United States focus on writing a range of specialist insurance products.  In the admitted market, coverage is provided by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in all 50 states.  In the surplus lines market, coverage is provided by the Beazley syndicates at Lloyd’s.

Beazley is a market leader in many of its chosen lines, which include professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business.

For more information please go to: www.beazley.com

For updated security breach notification laws visit http://www.beazley.com/databreachmap

About Experian Data Breach Resolution Experian® is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.

SOURCE Beazley plc

Order Reprint

Article source: http://www.sacbee.com/2012/08/30/4772145/beazley-announces-major-enhancements.html

,

No Comments

UK data breaches skyrocket more than 1000%

According to the data, secured by Imation, local government data breaches have increased by 1,609%, making it the No. 1 target, while other public sector organizations were a close second (1,380%). Not to be outdone, the private sector logged a 1,159% increase.

On a federal level, data breaches at the National Health Service have increased by 935% and central government incidents are up by 132%.

“The massive increase in data breaches in just five years is fairly startling,” said Nick Banks, head of EMEA and APAC for Imation Mobile Security, “but perhaps more alarming is the consistent year-on-year increase in data breaches since 2007. The figures obtained from the ICO by Imation seem to show that increasing financial penalties have had little effect on the amount of data breaches each year.”

To get a full picture, however, the actual numbers are elucidating. There were 11 local government data breaches from November 2007 to November 2008, which has grown to 188 in 2012 – 59 of them in the second quarter. But the NHS had the most incidents in the second quarter of 2012 with 61 breaches. General business came in third with 26 breaches.

Telecom actually delivered a decrease in the number of data breaches from year to year, the only category to do so, falling from six breaches to zero from 2010 to 2011.

“Undoubtedly there are some mitigating circumstances which have contributed to the rise in annual data breach numbers, such as the introduction of mandatory reporting in certain sectors, plus the increasing amounts of data being stored and accessed”, Banks said. “But none of these factors obscures the clear trend of constant increases.”

So far there have been 821 data breaches in the UK in 2011/2012, which Banks said is “deeply worrying.”
“Organizations must take responsibility for preventing breaches, and with so much available technology there really is no excuse for failing to adequately protect data,” he said.

Article source: http://www.infosecurity-magazine.com/view/27905/uk-data-breaches-skyrocket-more-than-1000

,

No Comments