I need to thank the people at Attrition.org who are maintaining a database of data breaches that I refer to on a regular basis. I believe the information in these types of breach databases are very valuable as a research tool into good measures to spend your time and money in order to keep your company off of this list. Of course we have to make several assumptions about the data contained in the reports, and of course “you don’t know what you don’t know”, but even so, this is probably as good of a starting point as any survey we’ve all seen, and of course your risk appetite as well as the specific risks of an organization will also have to be considered. Now for the numbers
The database covers the period from January of 2000, until July 31 of this year and includes 1051 breaches. Here is a breakdown of some of the interesting facts after removing a couple which show disputed in the type of breach.
87% of the breaches were not due to a loss from a third-party. Another report from Verizon claims that 39% of their breaches are from a third-party. I believe there may be some under reporting of this statistic here due to the third parties reporting, and their customers not reporting the same incident.
The distribution of breaches amongst Business, Government, Education and Medical were 34%,24%, 30% and 12% respectively.
Stolen data was the highest reported breach type at 37% followed by “hack” which is classified by Attrition as “computer-based intrusion, data not generally publicly exposed” came in second at 21% followed by web-based intrusions at 15%.
