- a spreadsheet with names, Social Security numbers and birth dates of 3,300 people charged with minor drug and alcohol offenses was mistakenly posted to the Indianapolis government Web site for 11 days.
- In October 2008, The Charleston Gazette reported that a laptop containing personal information of more than 500 West Virginia state employees was stolen from a contractor's parked vehicle.
- In July 2007, The North County Times reported that credit card and checking account information for about 1,200 people who had enrolled in city recreation programs was posted in a public folder on the Encinitas, Calif., city Web site for three months.
- In August 2007, the New York Daily News reported that a laptop containing the names, addresses, Social Security numbers and pension information of about 280,000 New York City retirees was stolen from a restaurant. The laptop had been in the possession of a contractor.
In the Indianapolis and Encinitas cases, as in New Hampshire, the compromised organizations didn't know about the breaches until quite some time after they occurred. According to the Verizon report, that's not uncommon in the public or private sectors.
Too Little, Too Late?
Verizon's figures reveal that it was months before 63 percent of breached organizations knew about them, weeks for 18 percent, days for 14 percent, hours for 3 percent and years for 2 percent.
"We're finding it's taking months for these entities -- whether it's government or the private sector -- to realize they've been breached. Not only that -- they're not the ones realizing it," said Eric Brohm, a senior security consultant for Verizon. "The realization is often coming from the third party in three out of four of those cases."
As Brohm said, 75 percent of breaches cited in the report were discovered by a third party, and 66 percent of them involved information the breached organizations didn't even know existed.
So how are organizations letting such an embarrassingly high number of breaches slip through the cracks? The problem may be a collective case of poor information management.
"The No. 1 thing they are not doing now that they should be doing is monitoring the IT security measures they already have in place," Brohm said. "A very simple example of that is: We do a lot of cases where people have great, verbose Web logs that are logging every bit of information on every single transaction that comes and goes from their site. The evidence of the breach is right in there, but no one's bothering to look at it."
He said in many of the risk team's cases, organizations haven't audited their systems. Consequently they haven't tracked what data they have, where it goes and what applications or devices store it.
Jay Foley, executive director of the Identity Theft Resource Center (ITRC), advises organizations to be sure their audits include reviews of policies and procedures for data handling and privacy. Documentation should explain how pieces of information are dealt with, from dissemination to destruction.
"There should be policies on what information we publish -- i.e., what stuff do we put on our Web site? What criteria does it meet? Secondarily [we should examine] how we handle the information as it goes across the desks of our organization's people, as it's stored after-hours, as it reaches its final destination in our organization, and where it's stored on a permanent basis until it's recommended for disposal. Last, but not least, how do we dispose of it?" Foley said.
And it wouldn't hurt for employees to be told why the information is so important to protect, he said.