In the study we just released on financial institution data breaches between 200 and 2008 we analyze the breach sources.
Hacking accounts for 42 percent of incidents but 55 percent of records compromised. This is the largest percent of incidents and records which is why financial institutions have and continue to work hard to mitigate their exposure to hackers.
Theft constitutes 30 percent of incidents but only 3 percent of records compromised. The lesson to be learned here is that you will still have to disclose a breach even if few records are compromised. This is where encryption products are valuable. If the data is encrypted and gets stolen, data breach notification laws usually do not require disclosure (only 4 of 45 states require it). To see the individual states that have these laws and which ones require disclosure even when the data is encrypted, see the list in the study.
Malicious Insiders accounted for 15 percent of incidents but 24 percent of records compromised. This could be a bit misleading as well because often in the cases of theft, it could be a malicious insider and not known. So in reality this number could be higher, but is already quite staggering. Malicious insiders come in many varieties, however IT Admins are one of the leading causes.
3rd parties accounted for 8 percent of incidents and 11 percent of records lost. This (in my opinion) is a very high number. This can include malicious individuals employed by the 3rd party. It can be data disclosure by untrained or careless partner employees. It can also be hackers or other outsiders that compromise the 3rd party network and then gain access or compromise company systems through the access granted to a 3rd party. This is why 3rd party due diligence is so important right now and has been harped on by the regulators for the last couple of years.
Careless and untrained insiders account for a very small percentage of incidents and records compromised. Keep in mind that all these statistics are based on KNOWN data breaches (which some estimate at 11% of the total) and we only learn the number of records compromised in about two thirds of incidents. The number of incidents involving careless and untrained insiders is quite small (in my opinion) for a couple of reasons. First, financial institutions have some of the best policies, procedures, guidelines, and training of any vertical tracked. Second, they have been regulated, and actively audited for many years (unlike healthcare with HIPAA who has a higher percentage of these types of breaches). Third, companies are still sweeping incidents under the carpet…especially when there was a breakdown on internal processes. So we aren’t seeing the whole story here. As a result, they have fewer of these types of instances then any other vertical.
