Upload
allen-chinvogmail
View
41
Download
1
Embed Size (px)
Citation preview
4301 Hacienda Drive, Pleasanton, CA 94588 USA ● +1 925 225 9100 t ● +1 925.225.9101 f ● www.javelinstrategy.com
2010 Data Breach Prevention and Response:
Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM) June 2010
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 2
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Overview .......................................................................................................................................................................................... 5
Primary Questions ............................................................................................................................................................. 5
Key Findings ....................................................................................................................................................................... 5
Methodology ................................................................................................................................................................................... 7
Introduction: How Data Breaches Impact Financial Institutions and their Customers ................................................................... 8
Data Breach Notification Laws ........................................................................................................................................ 12
How Criminals Use Breached Data impacts Overall Fraud Rates .................................................................................... 15
Prevention: Have an Incident Response Plan Handy ................................................................................................................... 18
Limit Access to Sensitive Data ......................................................................................................................................... 18
Where the Data Lives ...................................................................................................................................................... 19
DLP Solutions Vendors .................................................................................................................................................... 21
Cisco IronPort .................................................................................................................................................... 21
CheckPoint ........................................................................................................................................................ 21
RSA .................................................................................................................................................................... 21
Trustwave.......................................................................................................................................................... 22
WebSense ......................................................................................................................................................... 22
McAfee Data Loss Prevention ........................................................................................................................... 22
Sophos ............................................................................................................................................................... 22
Symantec Data Loss Prevention ........................................................................................................................ 22
Trend Miro DLP ................................................................................................................................................. 22
Create a Data Breach Response Plan .............................................................................................................................. 23
Detection: Monitor for a Data Breach .......................................................................................................................................... 24
SIEM Vendors .................................................................................................................................................................. 26
ArcSight ............................................................................................................................................................. 26
Cisco .................................................................................................................................................................. 26
elQNetworks ..................................................................................................................................................... 26
IBM .................................................................................................................................................................... 26
McAfee ............................................................................................................................................................. 26
RSA .................................................................................................................................................................... 26
Splunk................................................................................................................................................................ 26
Symantec ........................................................................................................................................................... 26
Trustwave.......................................................................................................................................................... 27
Enact Your Incident Response Plan ................................................................................................................................. 27
Determine the Point of Compromise and Secure it ........................................................................................................ 28
Breach Assessment Vendors ........................................................................................................................................... 28
Resolution: Notification and Resolution ........................................................................................................................................ 29
Notification and Resolution Vendors .............................................................................................................................. 29
Affinion Data Breach ......................................................................................................................................... 29
Table of Contents
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 3
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Experian ............................................................................................................................................................ 29
Equifax .............................................................................................................................................................. 30
ID Experts .......................................................................................................................................................... 30
Intersections ..................................................................................................................................................... 30
Identity Theft 911 ............................................................................................................................................. 30
Kroll ................................................................................................................................................................... 30
LifeLock ............................................................................................................................................................. 30
TrustedID........................................................................................................................................................... 30
Resolution: How Different Companies Handle Data Breaches ..................................................................................................... 31
The Blame Game: Who Customers Blame for a Data Breach ......................................................................................... 31
Disconnect Between Actual Fraud Caused By Data Breach and Consumer Understanding ........................................... 32
Case Studies .................................................................................................................................................................... 33
Recommendations ......................................................................................................................................................................... 34
Appendix ........................................................................................................................................................................................ 35
Related Research .......................................................................................................................................................................... 36
Companies Mentioned .................................................................................................................................................................. 37
Table of Contents
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 4
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Figure 1: Data Breach Incidents vs. Records Breached ................................................................................................................ 8
Figure 2: Percentage of Consumers who had Cards Replaced Due to Security Concerns ........................................................... 9
Figure 3: Consumers with More than One Debit Card or Credit Card Replaced due to Security Issues .................................... 10
Figure 4: Number of U.S. Consumers Reporting Card Replacement Due to Security Concerns ................................................ 11
Figure 5: Consumers’ Likely Reaction toward Bank after Receiving a Data Breach Notification Letter ..................................... 12
Figure 6: How Consumers’ Use of Credit or Debit Cards Is Affected by Security Reissue .......................................................... 13
Figure 7: Victims’ Top Breached Personally Identifiable Information (PII) ................................................................................ 14
Figure 8: New Account Fraud Compared with Existing Non‐card and Card Account Frauds ..................................................... 15
Figure 9: Fraud Rate Past 12 Months for Consumers Who Received Breach Notification Letters vs. Did Not Receive Breach
Notification Letters vs. All Consumers ........................................................................................................................................ 16
Figure 10: Mean Consumer Costs and Fraud Amounts for Victims “Notified” vs. “Not Notified” ............................................ 17
Figure 11: How Data is Lost ........................................................................................................................................................ 20
Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches ...................................................................................... 24
Figure 13: Comparison of Detection – Internal vs. External Sources ......................................................................................... 25
Figure 14: Layering Protection with SIEM and DLP .................................................................................................................... 27
Figure 15: Consumers’ Assignation of Fault in a Data Breach .................................................................................................... 31
Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those
Notified of Data Breach Last 12 Months .................................................................................................................................... 32
Figure 17: Breach Victims (Notified Last 12 Months) Fraud Rate vs. All Consumers Fraud Rate ............................................... 35
Table of Figures
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 5
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Audience: Financial institutions, credit and debit card issuers, card networks, security vendors, DLP vendors, SIEM vendors, healthcare organizations, merchants.
Author: Robert Vamosi, Fraud and Security Analyst Contributors: Mary Monahan, Managing Partner and Research Director Tom Wills, Senior Analyst, Risk, Fraud and Compliance John Kenderski, Research Associate James Van Dyke, President and Founder
Editor: Levi Sumagaysay
Publication Date: June 2010
Overview
Data breaches have become commonplace – 26% of U.S. consumers have received data breach notifications. Global criminal networks
continue to evolve quickly to develop more sophisticated capabilities. Data loss and breach containment will be an ongoing challenge
for businesses. Layered defenses such as data loss prevention (DLP) and security incident and event management (SIEM), covered in
this report, can help. This report lists best practices for organizations before, during, and after a data breach. Should an incident
occur, the organization needs to take specific actions quickly to minimize losses and curtail the impact to customer relationship. Long
term, organizations need to provide not just notification but a complete resolution process.
Primary Questions
• How do customers react to data breaches?
• What increased risks of identity fraud do data breach victims have?
• How does a notification letter affect a consumer’s relationship with a financial institution?
• How are data breaches being perpetrated?
• How does a security reissue affect consumer use of a credit and/or a debit card?
• What steps should an organization take in advance of a data breach?
• Are there services for monitoring sensitive data?
• What steps should any breached company take first?
• Are there companies that provide data breach services?
Key Findings More than 1 in every 4 consumers had their debit or credit cards replaced in 2009 due to security issues Of those, One in five had
more than one credit or debit card replaced within the last 12 months. Of those consumers who had had their cards replaced, 37% ‐
40% say it adversely affects their card usage.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 6
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Previously, Javelin has reported that consumers who receive a data breach notification letter are more than four times likely than
average to become a victim of identity fraud. As of April 12, 2010, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin
Islands had data breach notification laws. Myriad state laws means multi‐state companies that suffer a breach must operate under
multiple different reporting rules and requirements. Effective January 1, 2008, California expanded the protections under its breach
notification law to cover medical/health information (AB 1298). In February 2009, the American Recovery and Reinvestment Act
created the first federal notification law for data breaches within the healthcare industry.
Organizations are more likely to discover they’ve become breached by a third party than through internal sources. Still, companies
need to assess their own sensitive data and monitor it with tools such as data loss prevention (DLP) and security incident and event
management (SIEM), both of which are part of the layered perimeter at the organization. In addition to data in motion (on the
network), there’s also data at rest and at the endpoint (USB drives, CDs, external drives). Part of the security solution needs to be
greater education; just as we educate employees about what is an appropriate joke to tell in the office, we should also educate
employees what is acceptable use of the desktop computer and data. Should a breach occur, an incident response plan/data breach
response plan needs to be enacted. A committee consisting of executives, legal staff, PR, IT, and risk and compliance should meet
immediately to gather information and begin executing a strategy. Such a strategy should seek to determine the cause of the data
breach and resolve, seek to preserve the data by establishing a clear chain of custody, and finally seek to go public with as much data
as possible.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 7
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Methodology This report is based on data collected online from a random‐sample panel of 3,294 online consumers collected in November 2009, with an
overall margin of sampling error of ±1.71 percentage points at the 95% confidence level.
Data from a September 2009 telephone survey with 5,000 U.S. adults, including 703 identity fraud victims, was also used in this report. For
questions answered by all 5,000 respondents, the maximum margin of sampling error is +/‐ 1.4% at the 95% confidence level. For
questions answered by all 703 identity fraud victims, the maximum margin of sampling error is +/‐ 3.7% at the 95% confidence level. For
questions answered by a proportion of all identity fraud victims, the maximum margin of sampling error varies and is greater than +/‐ 3.7%
at the 95% confidence level.
The surveys targeted respondents based on representative proportions of gender, age, ethnicity and income compared to the overall U.S.
online population. Rounding (in the underlying numbers) in the figures included in this report accounts for the slight differences in totals.
Secondary data from publicly available online sources have also been included in this report.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 8
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
One thing is clear: Despite new laws, new standards, and new
technology, data breaches remain a problem year after year.
When looking at data breach numbers it is important to
distinguish between the numbers of incidents (data breaches) vs.
customer records (potential victims affected by the data
breach1). The two statistics can be very different. For example,
one data breach incident (a lost laptop) disclosed in 2009 at
Continental Airlines resulted in the loss of 230 records.2 Another
data breach incident (a web hack), was disclosed that same
month at Heartland Payment Systems that resulted in 130 million
records exposed.3 These two January incidents went on to
account for 58% of all records lost in 2009; clearly a single event
can skew the total number of customer records exposed. Thus
the total number of incidents for a given year may rise and fall
and be independent of the total number of records breached. It
is important to look at both the number of incidents and the
number of records breached to see the entire picture.
INTRODUCTION: HOW DATA BREACHES IMPACT FINANCIAL INSTITUTIONS AND THEIR CUSTOMERS
Data Breaches Continue to Increase
Figure 1: Data Breach Incidents vs. Records Breached
1 It is possible for one victim to have multiple accounts breached, so there is not a one‐to‐one correlation between numbers of records and numbers of victims, although it is a good estimator. 2 http://datalossdb.org/incidents/1485‐laptop‐stolen‐from‐office‐containing‐finger‐prints‐names‐social‐security‐numbers‐addresses‐dates‐of‐birth‐and‐other‐information 3 http://datalossdb.org/incidents/1518‐malicious‐software‐hack‐compromises‐unknown‐number‐of‐credit‐cards‐at‐fifth‐largest‐credit‐card‐processor
Category /Year 2009 2008 2007
Number of reported breaches 498 656 446
Records breached 222, 477,043 35,691,255 127,725,343
©2010 Javelin Strategy & Research
http://idtheftcenter.org/artman2/uploads/1/ITRC_Breach_Report_20100106.pdf Accessed May 25, 2010. Note: Adjusted Heartland from 30 million to 130 million as per alleged in Justice Dept. documentation.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 9
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Another metric is the frequency in which consumers report
having their card replaced. Cards tend to be re‐issued out of
cycle when there is a breach of data with a risk of fraud
associated with the card. Under a normal‐timed reissue the new
card will only have a new expiration data and security code;
under a high‐risk issue the card will have a new account number.
Among all consumers, at least 28% have had a credit or debit
card reissued in the past year due to security concerns. Within
that group, 1 in 20 report having both their debit and their credit
card replaced. The good news is that 65% of all consumers did
not have either their credit cards or debit cards replaced within
the past 12 months due to security. Of those who did have a card
replaced, 18% had debit cards replaced (33.2 million consumers)
and 15% had credit cards replaced (27.6 million consumers),
including the 5% of those who had both replaced. Seven percent
of consumers were unsure whether their cards had been
replaced due to security reasons (or did not apply).
More than 1 in Every 4 Consumers Had Debit or Credit Cards Replaced in 2009 Due to Security Issues
Figure 2: Percentage of Consumers who had Cards Replaced Due to Security Concerns
10%
13%
5%
65%
7%
Credit card(s)
Debit card(s)
Both my credit and debit card(s)
Neither my credit or debit card has been replacedDon't know
Q44: In the last 12 months, have your credit or debit cards been replaced with a new card due to security concerns? (select one only)
November 2009, n=3,294Base: All consumers.
© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 10
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Of the 18% who had their debit cards replaced within the past 12
months, 21% had their debit card replaced more than once. Of
the 15% who had their credit cards replaced, 18% had their
credit card replaced more than once. This suggests that more
data breaches are impacting consumers, who typically have 3.2
credit cards on average.
A simple market sizing would indicate that at minimum 72.2
million replacement cards (debit and credit) with accompanying
letters were sent out to consumers in 2009, under the most
conservative assumption that consumers with more than one
reissue averaged just two cards. In one Heartland Payment
System lawsuit, one plaintiff said the costs of reissuing a credit
card included costs for “purchasing new plastic Payment Cards,
postage and other mailing expenses, time spent by employees
addressing the Data Breach, absorption of fraudulent charges
made on the compromised Payment Cards, and harm to
Plaintiffs’ reputations and goodwill.”4 In a TJX‐related lawsuit,
Among Consumers with Replacement Cards, Approx. 1 in 5 had their Card Reissued More than Once
Figure 3: Consumers with More than One Debit Card or Credit Card Replaced due to Security Issues
18%
21%
82%
79%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Credit card(s)
Debit card(s)
Only once More than once
Q45: Credit card(s)~You indicated that your credit or debit cards have been replaced in the past 12 months. Have any of these cards been replaced more than once?
November 2009, n=492, 579Base: Consumers who have replaced their credit or debit cards in the past 12 months.
© 2010 Javelin Strategy & Research
4 http://chimicles.com/assets/Key%20Bank%20Complaint.pdf Accessed May 21, 2010.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 11
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
the Massachusetts Bankers Association claimed that card
replacement costs could reach $25 per card.5 There’s a wide
range for reissuance fees. Using an arguably conservative
estimator of $3.5 per card replacement, security reissue costs for
the cards replaced in 2009 at a minimum would total $252
million.
At Minimum, $252 Million Spent Replacing Debit and Credit Cards in 2009
Figure 4: Number of U.S. Consumers Reporting Card Replacement Due to Security Concerns
Debit cards replaced Credit cards replaced
Only once 30,742,045 27,394,152
More than once 8,221,257 5,851,178
Total 38,963,302 33,245,330
©2010 Javelin Strategy & Research
5 http://www.computerworld.com/s/article/9017758/Massachusetts_banks_file_class_action_suit_against_TJX Accessed May 21, 2010.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 12
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Data Breach Notification Laws Two laws will impact data breaches in 2010: Nationally, the Red
Flags Rules, to be effective December 31, 2010 , requires firms
that hold customer accounts to implement programs that
identify and detect red flags that signal possible identity theft.
And effective May 1, 2010, Massachusetts General Law,
consistent with Red Flags rules, orders that all companies that
own, license, store or maintain personal information regarding a
Massachusetts resident must implement an identity theft
program, identifying red flags indicating possible identity theft,
emphasizing a “risk‐based” approach.
Thirty‐eight percent of all consumers say they view their financial
institution less favorably after receiving a notification letter. This
is not good news for banks and credit unions that are often put
into the position of being the messenger about data breaches,
although the institutions may have had nothing to do with the
breach itself, but instead are reacting to protect their
accountholders. Often the issuer is the only point of contact with
the customer after a retail data breach. Due to legal liability
issues, typically the financial institution’s notification letter can
only state that a breach occurred, but does not publicly identify
the actual breached entity.
Blame the Messenger: 38% of Consumers View Banks Less Favorably After Receiving Breach Notification
Figure 5: Consumers’ Likely Reaction Toward Bank after Receiving a Data Breach Notification Letter
21%
17%
36%
13%
13%
1 - Much less favorably2345 - Much more favorably
Q48: Assume you receive a letter from your bank. The letter states that they learned a data breach occurred and your account information may have been lost or stolen. Does receiving the letter cause you to view your bank more or less favorably? (select one only)
November 2009, n=2,978Base: All consumers with banking products.
© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 13
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
For issuers that often must take steps to protect their customers
after a data breach at another institution, unfortunately, the bad
news continues: After a block and reissue, 1 in 10 consumers no
longer use their credit cards, and an additional 30% use them
less. Among debit cardholders with a security reissue, 7% stop
using the card, while 30% use them less. For little over half of
consumers, reissues have no effect. For certain group of
consumers, the reissue has a positive effect: 6% of credit
cardholders and 9% among debit cardholders use their cards
somewhat more or much more.
Issuers must take these statistics into account when deciding
whether to monitor or block and reissue after a data breach.
Security Reissues: 37% ‐ 40% of Consumers Claim It Adversely Affects Usage
Figure 6: How Consumers’ Use of Credit or Debit Cards Is Affected by Security Reissue
55%
2%
4%
16%
14%
10%
54%
3%
6%
17%
13%
7%
It's had no impact on my card usage
I use the card much more
I use the card somewhat more
I use the card somewhat less
I use the card much less
I no longer use the card
0% 10% 20% 30% 40% 50% 60%Percent of Consumers
DebitCredit
Q46: How has the fact that the bank replaced your credit card due to security concerns, affected your use of the credit card? (Select one only)
November 2009, n=494, 579Base: All consumers who replaced their credit card in the last 12 months, all consumers who replaced their debit card in the last 12 months.
© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 14
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Aside from existing credit and debit cards, breaches can also
affect other PII. When breach victims in 2009 were asked what
was taken, Social Security number (SSN) thefts remained the top
critical data reported breached after names and addresses. SSNs
permit new‐account creation, one of the most difficult types of
fraud to detect. Among the types of data typically stolen, stolen
checking accounts nearly doubled over 2008 (27% vs. 16%).
While theft of health insurance information (7%) and medical
records fraud (3%) were low, medical records fraud resulted in
the largest mean frauds ($18,480 vs. $4,841 for all consumers).
The American Recovery and Reinvestment Act (ARRA) signed into
law on Feb.17, 2009, establishes the first nationwide data breach
notification law for the health care industry, specifically
whenever protected health information (PHI) is released, via
paper or electronic means. Breaches of PHI that are under the
control of the patient are to be reported to the Federal Trade
Commission. Breaches of health information, specifically
electronic medical records (EMR), are to be reported to the
Department of Health and Human Services. Both the FTC and
HHS are required to prepare an annual report on the state of
healthcare data breaches.6
Breached Social Security Numbers Allow Criminals to Create Fraudulent New Accounts
Figure 7: Victims’ Top Breached Personally Identifiable Information (PII)
1%
3%
3%
7%
10%
18%
19%
22%
27%
32%
37%
63%
0% 20% 40% 60% 80%
Military ID card
Medical records
A passport
Health insurance information
Online banking username and password
ATM PIN on your debit card
PIN on your credit card
Driver's license number
Checking account number
Social Security number
Physical address
Full name
Percent of Consumers
Q12: Which documents or pieces of information were stolen?
November 2009, n= 393Base: All ID fraud victims who know how their
information was obtained.© 2010 Javelin Strategy & Research
6 New Federal Personal Health Information Breach Notification Law: HITECH Act— A Tsunami of Opportunity, Javelin Strategy & Research, April 2009.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 15
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
How Criminals Use Breached Data impacts Overall Fraud Rates In 2009, new accounts fraud was the main driver of the overall
increase in total dollar fraud. New accounts fraud increased 38%
since 2007, with a 17% rise over the past year alone, accounting
for a total growth of $3 billion in losses per annum.7 In the same
two‐year period, overall identity fraud increased 20%, or $9
billion, from $45 billion in 2007 to $54 billion in 2009. Thus new
accounts fraud alone accounted for two‐thirds of the increase in
total identity fraud over the past two years (the only two years
that overall identity fraud has risen during the past seven years).
The number of different accounts opened by criminals rose in
2009. There were increases in percentages of fraud victims
reporting traditional accounts created by fraudsters such as new
credit card applications (39% vs. 33% in 2008) and new loans
opened (18% vs. 15%). However, there were also increases in
percentages of fraud victims reporting new fraudulent electronic
accounts, with five times as many e‐mail payment accounts such
as PayPal (15% vs. 3%) and more than twice as many Internet
accounts opened on eBay and Amazon (22% vs. 10%). New
mobile phone accounts, a new category in this report, accounted
for 29% of the fraudulent new accounts opened in 2009.
New Account Fraud—Most Difficult to Detect—Accounts for 2/3s of Growth in Total Fraud
Figure 8: New Account Fraud Compared with Existing Non‐card and Card Account Frauds
7 2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All‐Time Low , Javelin Strategy & Research, February 2010.
$27
$19
$15
$18
$21
$13$12 $13
$9$11
$22 $22
$19
$22 $22
$0
$5
$10
$15
$20
$25
$30
2005 2006 2007 2008 2009
Tota
l Fra
ud A
mou
nts (
In B
illion
s)
Survey Year
New accounts fraudExisting non-card account fraudExisting card fraud
Q9: Did the perpetrator use your personal information to obtain new credit or debit cards, new bank accounts or loans in your name, or otherwise commit theft, fraud, or some other crime? Q8: Did the perpetrator use any of your existing accounts other than a credit or debit card account without your permission to run up charges or to take money from your accounts? Q5: Did the perpetrator misuse your existing credit, or debit card or account numbers to place charges on your account without your permission? Q3: Have you, yourself, ever been a victim of identity theft?
November 2009, 2008, 2007, 2006, 2005, 2004, n= 5,000,4,784, 5,075, 5,006, 5,000, 5,004
Base: All consumers.© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 16
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
There is also a direct relationship between those who received a
data‐breach notification letter and those who went on to
experience an identity fraud event. Not all the recipients of data‐
breach notification letters went on to experience fraud. Of the
26% of consumers that said they had been notified of a data
breach, 11.5% reported they had been victimized by identity
fraud within the past 12 months. Fraud victims who had been
notified of a data breach experienced fraud at nearly five times
the rate of fraud victims who had not been notified of a data
breach.
Consumers who have received breach notifications suffered an
increased rate of identity fraud, averaging 11.5% vs. only 2.4%
for those who have not been notified. The pattern of increased
fraud victimization among consumers notified of a breach within
the past 12 months remains consistent from 2006 to 2008,
indicating that this is not a one‐time anomaly in 2009. (Refer to
Figure 17, Appendix.) Many consumers have yet to fully
understand the concepts of identity theft and identity fraud, let
alone identity protection services such as credit monitoring,
fraud alerts, and credit freezes – which are primarily designed to
protect against new accounts fraud. Some consumers may be
confused or overwhelmed as vendors of identity protection
services continue to expand their product features in an effort to
be as comprehensive as possible.
Notified Data Breach Victims Are Nearly 5 Times More Likely to Experience Identity Fraud
Figure 9: Fraud Rate Past 12 Months for Consumers Who Received Breach Notification Letters vs. Did Not Receive Breach Notification Letters vs. All Consumers
4.8%
2.4%
11.5%
0% 2% 4% 6% 8% 10% 12% 14%
All consumers
Did not receive a data breach notification letter
Received a data breach notification letter
Percent of Consumers
Q3. Have you, yourself, ever been a victim of identity fraud? In the last 12 months only. Q2. Have you ever been notified by a business or other institution that your personal or financial information has been lost, stolen or compromised in a data breach?
March 2010 n= 239, 4,010, 1,275, 5,000Base: All fraud victims in the last 12 months who have
received a data breach notification letter, all fraud victims in the past 12 months who have not received a data breach notification letter, all fraud victims in the past 12 months.
© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 17
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
In 2009, 1 in 4 American adults reported being notified by a
business or other institution that their information had been
compromised in a data breach (26%). This group of consumers
detected their breaches sooner than the average fraud victim (57
vs. 63 days) and they also stopped the misuse faster (74 vs. 99
days). Nonetheless, their average frauds were higher ($4,543 vs.
$3,775) and they paid more in consumer costs ($415 vs. $308).
Normally, the sooner a breach is detected and stopped, the
lower the costs.
This report will look at prevention, detection and resolution with
regard to data breaches.
Mean Fraud Costs for Victims Notified of a Data Breach are 20% Higher
Figure 10: Mean Consumer Costs and Fraud Amounts for Victims “Notified” vs. “Not Notified”
Consumer Cost Fraud AmountYes $415 $4,543No $308 $3,775
©2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 18
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Like it or not, data breaches can happen even to the best
companies, even to those that have been found to be in
compliance with PCI or other security standards. Therefore it is
important to have a data breach/incident response plan before a
data breach occurs. At its most basic, a data breach response
plan outlines the procedures a company needs to take
immediately after a data breach or other network compromise is
reported. But before such a plan can be crafted, an assessment
needs to be performed. A company needs to understand what it
has in terms of sensitive data.
Limit Access to Sensitive Data What is sensitive data? A simple answer might be anything that is
subject to regulatory action such as the Gramm‐Leach‐Bliley Act
(GLB), Sarbanes‐Oxley (SOX), the FTC’s Red Flags Rules, the
Payment Card Industry Data Security Standard (PCI DSS), Health
Information Technology for Economic and Clinical Health Act
(HITECH), Health Insurance Portability and Accountability Act
(HIPAA), or the European Union Data Protection Directive should
be considered highly sensitive information.
More generically, the State of Illinois says personally identifiable
information would include, but not be limited to: (a) a first and
last name or first initial and last name; (b) a home or other
physical address, which includes at least street name and name
of city or town; (c) an e‐mail address; (d) a telephone number; (e)
a Social Security number; (f) credit and/or debit card
information, including credit and/or debit card number with
expiration date; (g) date of birth; (h) a driver’s license number; or
(i) any other information from or about an individual customer
that is combined with (a) through (h) above.8 Illinois further
defines sensitive PII as combining a full name with any one or
more of the following data elements, when either the name or
PREVENTION: HAVE AN INCIDENT RESPONSE PLAN HANDY
8 http://www.wired.com/threatlevel/2010/04/nsa‐executive‐charged Accessed May 21, 2010.
Action Items
• Classify data as either non‐sensitive or highly sensitive. Examples include:
• Intellectual property
• Customer PII
• Segment sensitive data and protect it
• Restrict access to highly sensitive information by provisioning employees
• Wipe or shred physical media and paper securely
• Overwriting hard drive data with 1s and 0s
• Degauss (demagnetize) external media
• Shred paper
• Prepare a document, with names, of those who will comprise the data breach/incident response team.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 19
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
data elements are not encrypted: (1) driver’s license or state
identification number; (2) Social Security number; or (3) account
numbers (such as bank, credit or debit card numbers) when
combined with any required security code, access code or
password that would permit access to an individual’s financial
account.
In addition, intellectual property should also be considered
sensitive. For example, the Uniform Trade Secrets Act includes
formulas, patterns, compilations, program devices, methods,
techniques, or processes. They also can be diagrams and flow
charts, supplier data, pricing data and strategies, source code,
marketing plans and customer information.
Sensitive data may lie outside its intended area of use. A
thorough assessment should scope out where such data resides,
no matter its relationship to the server hosting it. Every effort
should then be taken to secure and minimize access to the
designated sensitive data.
Once sensitive data has been mapped out, organizations should
further limit access data to a need‐to‐know basis. Access to
sensitive files and records should be set by HR and IT working
together to determine what access is necessary for an employee
to function within the organization. Carte‐blanche access to
sensitive information is both dangerous and unnecessary.
Where the Data Lives There are three states of data within the organization that need
to be assessed: Data that is in motion, data that is at rest, and
data that exists as an endpoint. A compromise can occur in each
of these.
• Data in motion: This category covers data moving into
or out of the network via the Internet. Avenues of
transit may include e‐mail, webmail, HTTP, instant
messaging (IM), peer‐to‐peer sites (P2P), and file
transfer protocol (FTP)
Protecting e‐mail is not as clear cut as filtering Outlook Exchange,
however. Employees may use webmail (which passes through
port 80, the Internet port) or e‐mail that is private. Hushmail is
an encrypted Java application that is used to share secure e‐mail
between two parties anonymously; the catch is that both have to
be using the service. Without access to the keys, the e‐mail is
unreadable to a third party. Here the U.S. government worked
with Hushmail to decipher the e‐mails critical to the case.
Instant messaging (IM), peer‐to‐peer (P2P), and file transfer
protocol (FTP) involve consumer desktop applications and are
sometimes blocked from installation by IT staffs. Some
businesses need the instant communications with remote
workers that IM provides, however P2P and FTP are often
unnecessary and dangerous because incorrect configurations can
open a desktop and internal network to remote third parties.
Data on the network and data on its way toward storage, if
unencrypted or “in the clear,” may be subject to a sniffer, a piece
of code that can detect and make a copy of 16‐digit credit card
data. In the case of Heartland Payment Systems, that is what
happened; copies of the card data sent in the clear across the
Heartland network were copied and stored in .tmp files for third‐
party retrieval. The actual malware was well‐hidden, and almost
missed by two independent teams of forensic investigators.
• Data at rest: This category typically covers data sitting
in file systems, databases and other storage methods.
Data, particularly sensitive data, should be encrypted when at
rest and, following PCI’s requirement, the keys used for the
encryption should be rotated at least once a year. Data at rest
used to be the target of hacker attacks a decade ago; recently
there has been a decided shift toward data‐in‐motion attacks.
Hushmail, in addition to providing e‐mail service, also provides
encrypted and anonymous file storage and domain service with
various servers located around the world.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 20
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
• Data at the endpoint: This category covers data sitting
on laptops and within smartphones, USB devices,
external drives, MP3 players, laptops, and CDs.
A more straightforward form of data loss, perhaps, is data lost
through external devices such as the Apple iPod and iPhone,
which, when plugged into a desktop, are capable of storing
several gigabytes of data from the office network. Such devices
are common in the offices today, yet pose significant danger if
employees are allowed to copy sensitive files to an external
drive. 9
More dangerous than a missing laptop might be the ubiquitous
USB drive (an employee is more likely to remember leaving
behind an expensive laptop than a tiny USB). In a recent survey,
the UK security company Credant found that 4,500 USB drives
were left behind in clothing sent to the dry cleaners. This is down
significantly from the 9,000 reported the previous year.
However, in the UK, the 4,500 lost USBs is still enough for
concern. Under a new Data Protection Act, a lost USB is
considered a data breach and the company whose data is on it is
subject to a fine of up to £500k.10
Thus, encrypting the data stored on hard drives of laptops, USBs,
and other external media makes sense, as does limiting access to
sensitive information through digital rights management (DRM).
DRM can specify whether a file is read‐only, not for printing, and
not for copying. Additionally, files can be marked as not for e‐
mail. Provisioning based on employee job descriptions and work
flow can further keep the temp out of the HR files.
9 http://datalossdb.org/statistics Accessed April 6, 2010. 10 http://www.credant.com/news‐a‐events/press‐releases/376‐dry‐cleaners.html Accessed May 21, 2010.
Physical Media Incidents Outnumber Virtual Media in Terms of Data Loss
Figure 11: How Data is Lost
Stolen/Lost Laptop21%
Hack16%
Web13%
Fraud SE8%
Stolen/Lost Computer
7%
Document for Disposal
5%
Snail Mail4%
Unknown4%
E-mail4%
Stolen/Lost Media4%
Stolen/Lost Document
5%
Stolen/Lost Tape3%
Stolen/Lost Drive3%
Virus1%
Source: DataLossDB© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 21
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Sometimes common electronic media can disguise data theft.
Researchers have found a way to burn sensitive data onto an
otherwise ordinary CD.11 Steganography, the practice of hiding
something within plain sight, dates back several centuries to the
Roman era, and modern incarnations include storing text
documents within JPEG image files (thus, a picture can literally be
worth a thousand words). This new variation obscures the data
on a CD so that only CD players with tunable crystals can pull out
the sensitive information. When played on a standard drive, the
CD would not reveal the data; only by adjusting the crystal within
the CD player would the data be accessible. While it is unlikely
the typical employee would have access to a tunable crystal, such
technology might be possible in a high‐risk and very targeted
attack.
In addition to encrypting active files, secure destruction of older
files is also necessary. Simply deleting data from hard drives and
USB is not enough. The Windows operating system in particular
makes it easy to reconstruct “deleted” files later, what’s called
“data remanence.” IT staffs must therefore overwrite the
deleted data with 1s and 0s. Better yet is degaussing, a process
by which the magnetic field is removed — provided the media in
question can be reformatted later. Finally, physically destroying
the media is another option.
Not all data loss is electronic. The Identity Theft Research Center
(ITRC) reports that 25% of all data breaches in 2009 involved
paper documents.12 Often paper documents are not disposed of
properly. CVS, the pharmacy, was fined $2.25 million in 2009
after the Department of Health and Human Services alleged that
the company violated the Health Insurance Portability and
Accountability Act (HIPAA).13 HHS Investigators found
prescriptions and other personally identifiable information in the
dumpsters behind several CVS locations. In addition to the fine,
CVS will also be audited every two years for the next 20 years to
ensure that it is properly disposing of personal data.
DLP Solutions Vendors To mitigate the dangers of leakage with data at rest, data in
motion, and data at the endpoint, data loss prevention (DLP)
systems make the most sense. DLP systems classify, encrypt, and
monitor sensitive data. Some DLP systems also classify and
monitor endpoint data. Some DLP systems on the market today
include:
Cisco IronPort Cisco offers its DLP solutions based on an organization’s size, for
example the IronPort S160 is for systems up to 1,000 users, S360
from 1,000 to 10,000 users, S660 more than 10,000. One
interesting differentiator is that the Cisco IronPort solution can
work with existing DLP solutions by providing a security appliance
that sits between traditional perimeter defenses, offering an
additional layer of filtering and protection. http://
www.ironport.com/technology/ironport_dlp_overview.html
Check Point The Check Point DLP solution includes Innovative MultiSpect, a
data classification system that combines user, content and
process information to make accurate decisions around data
sensitivity. Another solution, UserCheck, allows organizations to
remediate incidents in real‐time. For more information see
http://www.checkpoint.com/products/dlp/index.html
RSA
According to RSA, its DLP Datacenter product identifies sensitive
data and then helps organizations enforce policies across file
shares, databases, storage systems such as Microsoft SharePoint
and other data repositories. Its DLP Network product identifies
sensitive data and then enforces policies across corporate e‐mail
systems, instant messaging, and web‐based protocols. Finally,
RSA’s DLP Endpoint product identifies sensitive data and then
11 http://www.credant.com/news‐a‐events/press‐releases/376‐dry‐cleaners.html Accessed May 21, 2010. 12 http://www.idtheftcenter.org/artman2/publish/m_press/Data_Breaches_Undeterred_by_Laws_or_Common_Sense.shtml Accessed May 21, 2010. 13 http://www.networkworld.com/community/node/38684 Accessed May 21, 2010.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 22
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
enforces policies for such data whether it is stored or in use on
laptops and desktops. For more information see http://
www.rsa.com/node.aspx?id=3426
Trustwave
The three categories of data loss are covered by Trustwave’s DLP
products. Trustwave Discover handles data at rest. Trustwave
Monitor covers data in motion. And Trustwave Edge covers
endpoint. For more information see https://
www.trustwave.com/dlp‐overview.php
Websense
Designed for enterprise DLP deployments, Websense Data
Security Suite includes four integrated modules: Websense Data
Monitor (to see network traffic), Websense Data Protect (for
data at rest), Websense Data Endpoint (for external media), and
Websense Data Discover (for data classification). For more
information see http://www.websense.com/content/
DataSecurity.aspx
DLP suites are also available from major antivirus vendors. These
include:
McAfee Data Loss Prevention
The McAfee DLP products work through the McAfee ePolicy
Orchestrator, a system information and event manager (SIEM;
see page 26). McAfee Network DLP Discover classifies data by
crawling the network, including laptops, to find sensitive data.
McAfee Network DLP Prevent enforces policies in e‐mail,
webmail, instant messaging (IM), wikis, blogs, portals, and Web
2.0 technologies. The McAfee Network DLP Monitor appliance
handles real‐time scanning and analysis of network traffic. The
McAfee Network DLP Manager appliance integrates the DLP suite
with the ePolicy Orchestrator. For more information, see http://
mcafee.com/us/enterprise/products/data_protection/
data_loss_prevention/dlp_modules/
host_data_loss_prevention.html
Sophos
SafeGuard Enterprise is Sophos’ DLP product. It is heavy on AV,
and combines full disk encryption with system flags on content
deemed sensitive. It also works with third‐party security
defenses. For example, it can manage BitLocker encryption in
Windows Vista and Windows 7. For more information:
http://www.sophos.com/products/enterprise/encryption/
safeguard‐enterprise/
Symantec Data Loss Prevention
Symantec acquired and re‐branded the Vontu line of DLP
products. Symantec currently includes several distinct product
offerings: Symantec Data Loss Prevention Endpoint Discover,
Symantec Data Loss Prevention Endpoint Prevent, Symantec Data
Loss Prevention Network Discover, Symantec Data Loss
Prevention Network Monitor, Symantec Data Loss Prevention
Network Prevent. For more information see: .http://
www.symantec.com/business/theme.jsp?themeid=vontu
Trend Micro DLP
Award‐winning DLP protection comes from Trend Micro, which
provides specific solutions for endpoint, network and
management server monitoring. The hardware appliance
includes DataDNA™ fingerprinting to identify and secure
unstructured data. For more information see: http://
us.trendmicro.com/us/products/enterprise/data‐loss‐
prevention/
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 23
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Create a Data Breach Response Plan Having assessed and identified the sensitive data in the
organization, the next step is to create a response plan.
A simple data breach plan should include the following: 1. Determine whether a breach did in fact occur.
A majority of data breaches are reported by external sources (e.g. , card networks, law enforcement, etc.)
If breach is large, then proceed to step 2.
2. Contact the incident response team , whose members
should include:
Executives
Legal
Public and media relations
Compliance and risk management
3. Develop a communications strategy.
Choose one spokesperson.
Prepare scripts for call centers, FAQs, department heads, etc.
4. Determine the point of compromise and secure it.
Document date and time of discovery, date and time of breach
Method and extent of the breach
Can reduce compliance issues later
Can reduce civil liabilities going forward
5. Determine what notification laws come into play.
Have a notification strategy in place.
Notification laws not restricted to the U.S., other countries have them as well
6. Update this response plan.
Annually, if no breach events
During the breach, as new information becomes available
Having an incident response plan is not enough. The plan should
be tested periodically and refined as needed. Then, if the
organization does experience a data breach, it can be enacted
effortlessly.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 24
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
0%
0%
2%
6%
2%
90%
94%
0%
67%
9%
12%
22%
38%
64%
0% 20% 40% 60% 80% 100%
Enviromental
Error
Physical
Deceit
Misuse
Malware
Hacking
Percent of Consumers
% of Cases
% of Records
Source: Verizon Business RISK Team© 2010 Javelin Strategy & Research
For data loss attributed to hacking and malware, monitoring the
network through the use of security information and event
management (SIEM) security information managers (SIMs) or
other network monitoring systems can help. One important
distinction is that while your company may experience several
security “events” they are not all security “incidents.” An event
can be defined as an anomalous activity detected on the system.
For this, individual security tools, such as a firewall or an IDS, may
not be adequate. SIEMs monitor a variety of security tools,
collating events to create a real‐time picture of what is
happening on the network.
In looking at the information below, physical loss of data often
results in fewer records lost than the online loss of data. Misuse,
deceit (social engineering) and physical theft are categorized as
physical thefts that result in fewer records stolen. Hacking and
malware are online threats that result far greater numbers of
records lost, and thus are more profitable to thieves.
DETECTION: MONITOR FOR A DATA BREACH
Action Items
• Monitor logs and current activity in real‐time.
• Meet at least annually to review internal procedures in the event of data breach and discuss adding new team members
to reflect changes in the data landscape at the organization.
Hacking and Malware Account for Most of the Records Lost
Figure 12: Incidents (Cases) vs. Records Reported for Data Breaches
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 25
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
There is a perception that the major data breaches are
discovered by vigilant IT staffers. This romantic view was
perhaps made popular by Clifford Stoll tracking down a $0.75
discrepancy in his University of California‐ Berkeley account as
chronicled in the bestselling book Cuckoo’s Egg. While it does
happen, it does not happen nearly as often as one might think.
Verizon Business states that 75% of the data breach cases it has
investigated went undiscovered and uncontained for weeks or
months by the IT staff.14
Data collected by the Verizon Business RISK Team shows that
third parties, not IT staff, often discover a data breach.15 While
acknowledging that the potential existed for some of their clients
to discover the data breach with sufficient evidence available,
Verizon Business says this trend was seen in retrospect:
Companies are not diligent enough in analyzing the data in real‐
time. Rather, data breaches typically go unnoticed until a
significant number of frauds are detected by third parties — such
as card brands or law enforcement.
Third Parties Discover 7 out of 10 Data Breaches
Figure 13: Comparison of Detection – Internal vs. External Sources
Internal Active7%
Internal Passive24%
Third Party69%
Source: Verizon Business RISK Team© 2010 Javelin Strategy & Research
14 http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Accessed April 6, 2010. 15 Ibid.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 26
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
SIEM Vendors There are ways to protect data in real‐time. In addition to DLP
services, which classify and block data release, real‐time
monitoring of all sensitive data on the internal networks can be
accomplished through security information management
systems (SIMS) or security information event management
systems (SIEM). These reconcile and create real‐time analysis of
what’s going on in your network from firewalls, intrusion
detection system (IDS) and other security tools. Vendors in this
space include:
ArcSight
ArcSight offers Enterprise Security Manager (ESM), software that
is designed for large organizations and requires some training.
For smaller organizations, ArcSight Express is an appliance‐based
version of ESM that comes with preconfigured reports and
monitoring. For more information see: http://
www.arcsight.com/products/
Cisco
For SIEM, Cisco offers its Cisco Security Monitoring, Analysis and
Response System (MARS), an appliance which combines SIM with
SEM and network behavior analysis. Designed for out‐of‐ the‐box
use, it is part of the Cisco Security Manager. For more
information see:
http://www.cisco.com/en/US/products/ps6241/index.html
elQNetworks
elQNetworks sells its SecureVue software and appliances that
combines SIM, SEM, network behavior analysis and security
compliance configuration policy. For more information see:
http://www.eiqnetworks.com/solutions/
SIEM_and_Log_Management.shtml
IBM
IBM has three different offerings in this space: Tivoli Compliance
Insight Manager (TCIM), IBM Tivoli Security Operations Manager
(TSOM), and IBM Tivoli Security Information and Event Manager
(TSIEM). The latter combines TCIM and TSOM for a
comprehensive view of the network. For more information see:
http://www‐01.ibm.com/software/tivoli/
McAfee
McAfee’s ePolicy Orchestrator, a system information and event
manager, integrates with its DLP solutions and other third‐party
perimeter defenses that an organization may have in place. For
more information see: http://www.mcafee.com/us/enterprise/
products/security_management_console/
epolicy_orchestrator.html
RSA
For monitoring the network, RSA offers two services: RSA
Security Information Management and RSA Security Event
Management. These two, when combined with log management,
provide RSA’s SIEM product. For more information see: http://
www.rsa.com/node.aspx?id=3207
Splunk
San Francisco‐based Splunk is an evolved SIEM that enables
organizations to search, report, monitor and analyze streaming
and historical data from any source on your network. For more
information see http://www.splunk.com/
Symantec
Symantec Security Information Manager (SSIM) combines SIM,
SEM, and log‐management capabilities, with Symantec
DeepSight, a global threat‐monitoring network. An appliance
collects data on site.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 27
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Trustwave
A standard package of Trustwave SIEM, Trustwave Managed
SIEM, and Trustwave SIEM Operations Edition monitor events on
the network in real time.
Enact Your Incident Response Plan Immediately after a breach has been identified and confirmed,
the incident response team representatives need to be
assembled. This team should have already been created and
include a member from each: the executive team, the legal staff,
public relations, and, of course, representatives of the IT and
compliance and risk‐management teams. The executive
representative acts as a liaison with management. The legal staff
is responsible for determining what laws may be triggered by the
breach and is to advise the company how best to respond. The
public relations representative serves to protect the brand by
crafting communications with the media. The IT and compliance
and risk management representatives are responsible for
determining what happened.
How Data Loss Protection and Monitoring Fit into the Organization
Figure 14: Layering Protection with SIEM and DLP
©2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 28
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Determine the Point of Compromise and Secure it Documentation is important for law enforcement and
compliance. Once a breach has been identified, establish a chain
of custody of log files. Often this is as simple as having two
individuals sign for possession of the files, media, or other
potential evidence.
Final determination of the cause of the breach might not be
immediate, but it is very important to find out what happened.
In the case of Heartland Payment Systems, after being informed
by Visa that card accounts processed by Heartland were on the
Internet black market, two independent forensic examinations
failed to discover evidence of a breach. It was only at the
eleventh hour that one company found a cache file of .tmp files
with credit card numbers. This led to the discovery of a rootkit, a
file buried deep in the kernel of the payment server’s operating
system.
Heartland Payment Systems, for example, has since made its
rootkit available to other processors. For financial institutions,
there are opportunities to share information through the card
networks and programs such as Identity Theft Assistance Center
(ITAC), Early Warning Services, BITS Fraud Steering Committee
and Fraud Program, Financial Services Technology Consortium,
etc.
Breach Assessment Vendors Not all organizations are capable of conducting their own
internal breach investigation. There are two organizations that
can investigate and work with law enforcement. PCI maintains an
updated list of PCI‐qualified assessors here: https://
www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 29
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
In 46 states and three U.S. territories there are specific laws
regarding when breached companies must contact potential
victims. As part of the incident response plan, the company
should have a notification service to help with the notification of
all potential consumers affected by the data breach.
Notification companies offer services beyond mere boilerplates
for the text sent out to customers or the press. Several
companies told Javelin they provide the ability to clean up
customer databases, providing updates to addresses or
completing incomplete addresses. These companies also remove
duplicate entries, a process that sometimes lowers the number
of actual customers affected by a given breach (for example,
several records breached at a company may belong to one
customer). Companies that do not provide customer list services
said they could enlist third parties.
After notification is resolution. All of the companies below offer
resolution assistance including the creation of a website and a
customer call center, although only Kroll offered the dedicated
service of one investigator assigned to a customer’s case —
whether the case takes three months or three years to resolve. A
few companies told Javelin they take limited power of attorney
as a means of helping victims recover.
Notification and Resolution Vendors
Affinion Data Breach
Affinion helps breached organizations with the execution of the
notification process. Unique to Affinion is its new contract
service, allowing organizations to contract with Affinion for
unspecified service. When a breach occurs, they can choose
what specific service they want Affinion to provide, including
normalizing the customer database to eliminate duplicates and
update addresses with full zip codes and other United States
Postal Service standards, credit monitoring, online data sweeps
for personal information, and dedicated fraud resolution
caseworkers for the duration of the incident. Furthermore,
enrollment options can include multiple service channels
including US mail, website, IVR, and call center support. Affinion
also provides resolution services, including automatic registration
of breach victims in credit monitoring. For more information see:
http://www.breachshield.com/
Experian
Experian contracts with companies to produce the notification
letters as well as guidance on the notification process and overall
communication with victims. They also provide consumer fraud
protection options (e.g., credit monitoring) and a National Fraud
Data Base, which provides single‐point direct access to
RESOLUTION: NOTIFICATION AND RESOLUTION
Action Items
• Notify affected customers per state laws.
• Notification letters can be handled by a third party.
• Customer data base and completion can be handled by a third party.
• Consider sharing detailed breach information with industry ISAC or FBI Infoguard.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 30
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
nationwide consumer and commercial fraud records. For more
information see: http://www.experian.com/business‐services/
data‐breach‐protection.html
Equifax
For the organization Equifax provides its Data Breach Response
Team, a service that provides pre‐breach planning and services
customer care in the event of a data breach including notification
(mail only) and call center support. In addition the company
provides a variety of consumer fraud protection services such as
credit monitoring, credit freeze, fraud restoration. For more
information see: http://www.equifax.com/business/en_us
ID Experts ID Experts offers organizations a full‐service notification and
support service with multiple channels for breach victims (letters,
Web site, call center). This includes composition, delivery and
tracking of notification letters/outreach. Breach assessment
Consumer protection (credit monitoring and remediation if fraud
occurs) Call center and Web site “Total recovery” approach to
data breach response (breach assessment, response, consumer
protection, and recovery) Experience working with financial
institutions (comprises one‐third of its client base) For more
information see: http://www.idexpertscorp.com/newsstories/?
articleid=254
Intersections
The data breach response plan from Intersections includes
flexible service configuration options for consumer fraud
protection and enrollment methods (online and offline
fulfillment; credit‐focused and/ or full‐spectrum identity
protection services). Intersections also offers integration with the
Identity Theft Assistance Center (ITAC) Breach response program
development Full spectrum of services for breach notification,
effective customer protection, and identity theft recovery. For
more information see: http://www.intersections.com/
Breach.html
Identity Theft 911
Identity Theft 911 primarily works with the insurance industry,
providing data breach resolution services for some of the largest
insurance companies in the United States. Through partnerships
with Identity Guard, TransUnion and TrueLink Notification
Identity Theft 911 handles the response for credit and financial
services, law enforcement and consumer advocacy organizations.
For more information see: http://www.identitytheft911.com/
whatwedo/databreach.htm
Kroll Kroll offers a full‐service victim notification and support service in
addition to its comprehensive investigation and restoration
services for fraud victims. Kroll has a strong reputation in the
breach recovery space, and is considered an industry leader in
fraud investigation and identity restoration. For more
information see: http://www.krollfraudsolutions.com/breach‐
products‐and‐services/defenses.aspx
LifeLock In addition to providing consumer prevention, LifeLock offers a
resolution package that includes notification and response via
letters, call center, and website support. The company also
provides, if desired, public relations support (including PR
guidelines and sample press releases) as well as tracking and
reporting of outreach operations and victim response. For more
information see: http://www.lifelock.com
TrustedID TrustedID provides a multitier response focused on resolution.
This includes a communication package that recommends
language and correspondence for notifying victims and other
stakeholders. The company makes sure that state‐by‐state
breach notification requirements are met. Additionally,
TrustedID offers consumer protection services to monitor for
signs of identity fraud. For more information see: https://
www.trustedid.com/products.php?databreach
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 31
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
There are two primary victims in a data breach: the organization
that is breached and the customers who have their personal data
exposed. There are also plenty of candidates for collateral
damage —organizations that, in doing their jobs, get caught in
the crossfire and sometimes blamed.
The Blame Game: Who Do Customers Blame for a Data Breach? Financial institutions often become the face of a data breach to
their cardholders and can be viewed in a less favorable light as a
result. An FI is often the party that first contacts the consumer or
mails out a new card after a data breach event, sometimes based
on a fraud event. However, nearly three times as many
consumers blame the merchant or retailer as the party most
likely to be responsible for any data breach.
RESOLUTION: WHO SUFFERS MOST?
Consumers Blame Merchants More than Issuers or Financial Institutions
Figure 15: Consumers’ Assignation of Fault in a Data Breach
21%
61%
7%
4%
7%
Financial institution or card issuer
Merchant or retailer I have purchased fromAn employer
A government agency
Other, please specify
Q52: In the event a data breach occurs, which of the following do you believe is most likely at fault? (Select one only)
November 2009, n=3,294Base: All consumers.
© 2010 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 32
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Customers Don’t Connect Breach Notifications with Fraud Among consumers who received a data breach notification in the
past 12 months, 19% suffered fraud, yet only 2% attributed their
fraud to a data breach. It seems as if consumers are not
connecting the dots on data breach notifications to fraud events.
They are aware, in the abstract, that their personal records have
been compromised, but when they become a victim of fraud
they do not make the connection to the earlier breach
notification.
The implications of this finding, if true, are shocking. While the
idea of notification is to provide an opportunity for consumers to
take action to protect themselves, apparently they do not. This
suggests that notification is not working. Consumers apparently
do not understand that the data breach puts them at increased
risk for other types of fraud. It also suggests that consumers who
are explicitly notified are at increased need for identity
protection services such as fraud alerts, security freezes, credit
monitoring, and identity monitoring. Identity protection services
vendors need to assist in fully educating consumers about the
potential consequences of receiving a data breach notification
letter.
A Disconnect Exists Between Actual Fraud Caused By Data Breach and Consumer Understanding
Figure 16: Actual Fraud Rates Among Data Breach Victims Last 12 months vs. Fraud Attributed to the Data Breach by Those Notified of Data Breach Last 12 Months
19.5%20.4%
15.8%
1.9%0.6% 0.4%
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
2008 2007 2006
Data breach victims (notified in the last 12 months) who experienced any fraud in the last 12 months
Fraud victims who received a data breach notification (within past 12 months) who self-identified that their information was obtained through a data breach
October 2008, 2007, 2006, n= 105,109, 97Base: Data breach victims in the last 12 months.
© 2009 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 33
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Case Studies How companies chose to handle the public face of the data breach – and the response is very different. Three case studies are BNY
Mellon, TJX and Heartland Payment Systems.
TJX: This retail chain is perhaps the poster boy for all data‐breached companies. The company remains in business, and one could
argue it has successfully navigated a potentially disastrous period. TJX will be monitored for the next 20 years and, like Heartland, it
has paid and will continue to pay millions of dollars in settlements and fines for years to come. TJX settled with Visa for $41 million
and MasterCard for $24 million.
Heartland Payment Systems: The payment processing company Heartland Payment Systems was presented with evidence by the
card brands that credit cards seen sold on the Internet in fall 2008 were suspected to have been processed through Heartland. After
several months of independent analysis, Heartland confirmed the breach and went public on Jan. 20, 2009. Immediately following,
Heartland’s stock plummeted from $15 before the disclosure to $3.43 a few weeks later when the processor was delisted from the
list of PCI‐compliant companies (Heartland was relisted in May 2009). Additionally, the company has since paid $129 million in
consumer losses, $60 million to Visa, $41 million to MasterCard, and currently pays about $2 million a month in legal bills.
BNY Mellon: In 2007, the bank found that a backup tape being transported by a third‐party vendor (Archive Systems) was missing.
The tapes included shareholder and plan participant account information for 4.5 million people, including such sensitive data as
name, mailing address, Social Security number, and transaction activity.16 The bank was criticized for delaying in notifying the public
and the other banks (People’s United Bank) that were affected by the loss.17 In response, BNY Mellon disclosed the data breach, and
provided affected customers with a web page that not only disclosed the details of the data breach, but also provided a link to ID
protection services available to those who received a letter.18
16 http://www.bnymellon.com/tapequery/shareownerservices.html Accessed May 21, 2010. 17 http://www.reuters.com/article/idUSN2320877320080523 Accessed May 21, 2010. 18 http://www.bnymellon.com/tapequery/shareownerservices.html Accessed May 21, 2010.
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 34
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
One key to surviving a data breach is knowledge. Knowing in
advance what sensitive information your organization has and
where it resides is a major step toward protecting and
monitoring that data. Another is having an incident response
plan ready, and this includes not only the names and contact
information for all the critical parities, but also a strategy for
notifying affected customers and providing them with identity
fraud protection and resolution.
• Assess all data and secure the most sensitive data.
Before a data breach, create a baseline assessment of
how much sensitive data your organization has and
where it lives.
• Provision employees to limit access to sensitive data.
In concert with HR and IT, limit the access employees
have to what they need to get their jobs done.
• Provide employees with data breach sensitivity
training. One company, Identity Theft 911, suggested
that just as HR requires employees to take a sexual
harassment sensitivity training, employees should have
a data breach sensitivity training as well. Such an
interactive video or lecture could identify common
online behaviors that would not be acceptable in the
office. Review annually.
• Determine how a data breach occurred. Perform
enough forensic analysis to determine the true cause,
not just the symptom of data leakage. If one piece of
malware is hiding on your system, others could be
there as well.
• Immediately assemble the data breach response
team. Notify department heads and prepare messaging
around the event. Develop a comprehensive response
strategy. Prepare scripts for customer service reps,
FAQs for online use, and vet all of these through legal.
Determine notification requirements, response, and
mail notifications.
• Establish a chain of custody for all evidence. Have
more than one person sign off on all log files,
hardware, and data collected during the breach
investigation — this will make it easier to hand over to
law enforcement.
• Designate a single spokesperson for media. Train staff
to direct public inquiries to designated website/800
numbers. Public disclosure can help bring awareness to
the overall problem of data breaches — and more
resources to mitigate and stop future attacks.
• Assess response. Throughout the breach response,
assess the response and make changes based on
feedback if necessary.
• Share details of the breach experience with other
organizations in your space. Bad guys share data; good
guys typically do not. Associations such as FS‐ISAC,
NACHA, and others have begun facilitating sharing
among members. Newer organizations such as Secure
POS Vendor Alliance have formed to share details of
attacks in partnership with the Secret Service and other
law enforcement agencies.
RECOMMENDATIONS
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 35
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
APPENDIX
Four Times Higher Fraud Victimization Rate Among Data Breach Victims
Figure 17: Breach Victims (Notified Last 12 Months) Fraud Rate vs. All Consumers Fraud Rate
19.5%20.4%
15.8%
4.32%3.62% 3.74%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
2008 2007 2006
Data breach victims (notified in the last 12 months) who experienced any fraud in the last 12 months
All fraud victims
October 2008, 2007, 2006 n= 539, 535, 552/ n= 4874, 5075, 5000
Base: Data breach victims, all U.S. adults.© 2009 Javelin Strategy & Research
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 36
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
New Federal Personal Health Information Breach Notification Law: HITECH Act— A Tsunami of Opportunity
April 2009
New federal legislation designed to improve the nation's quality and coordination of medical care has created a perfect storm at the
intersection of the health care and financial industries. Physicians and hospitals will be rushing to go online to take advantage of temporary
monetary incentives. Handled well, prospects for enhanced medical care are considerable. But if the online transfers aren't handled
properly, the opportunities generated will benefit data thieves, rather than health care. And with a new national data breach notification
requirement in place for personal health information, the impact of the Health Information Technology for Economic and Clinical Health Act
(HITECH) could be staggering. This report explains the new federal requirements extending HIPAA security and privacy and addresses the
impact of this bill to the financial and health care industry.
2010 Identity Fraud Survey Report: Identity Fraud Continues to Rise – New Accounts Fraud Drives Increase; Consumer Costs at an All‐Time Low
February 2010
ID Fraud continued to rise in 2009, with Javelin finding there are more victims than in any period since the survey began in 2003. Driving that
increase was new accounts fraud, which showed longer periods of misuse and detection and therefore more dollar losses associated with it
than any other type of fraud. Meanwhile the consumer costs, the dollar amounts the victim pays on average out‐of‐pocket, reached an all‐
time low. The Javelin 2010 Identity Fraud Survey Report provides a detailed, comprehensive analysis of identity fraud in the United States to
help consumers and businesses better understand the effectiveness of methods used for its prevention, detection and resolution. A
nationally representative sample of 5,000 U.S. adults, including 703 fraud victims, was surveyed via a 50‐question phone interview to gain
insight into this crime and the effects on its victims. This report, supported by the Better Business Bureau, is issued as a longitudinal update
to the Javelin 2005, 2006, 2007, 2008, and 2009 I.D. Fraud Survey reports and the FTC’s 2003 report.
Data Breach Notifications: Victims Face Four Times the Risk of Fraud
October 2009
If a consumer gets a data breach notification letter, he is four times more likely to suffer identity fraud within the next year. Data breach
notifications were intended to help consumers take protective action when their private data is exposed. But there seems to be a disconnect
between data breach notifications and consumer understanding of possible outcomes of data breaches. New data shows that consumers
who have received data breach notifications within the past year are at a much greater risk for fraud than the typical consumer. Yet, these
same consumers rarely attribute the fraud to their data breach exposure. This report also contains an update of data breaches for 2009,
implications of changes to the legislative landscape, and the technical means by which data breaches occur. Finally, a timeline of several of
the recent, most egregious data breaches in U.S. history (including who, how, where and when) is included.
RELATED RESEARCH
© Copyright 2010 Javelin Strategy & Research. All rights reserved. This report is licensed for use by Javelin Subscribers only. It is protected by copyright and other intellectual property laws. You may display or print the content available for your use only. You may not sell, publish, distribute, re‐transmit or otherwise provide access to the content of this report. 37
2010 Data Breach Prevention and Response: Causes, Consumer Consequences, and Tools for Layered Defense (DLP and SIEM)
Affinion Kroll
ArcSight Lifelock
BNY Mellon McAfee
Check Point RSA
Cisco Sophos
CVS/ Pharmacy Splunk
Early Warning Services Symantec
eIQNetworks TJX
Equifax Trend Micro
Experian TrustedID
Heartland Payment Solutions Trustwave
IBM USPS
ID Experts Verizon
Identity Theft 911 Websense
Intersections Windows
Companies Mentioned