I did an analysis of the UK's Information Commissioner's (ICO) "Taking Action" incidents for 2011. There were approximately 80 incidents where the ICO took action, after personal data breaches. Of these:
- 26 were related to unencrypted media (e.g. lost or stolen laptop or USB memory stick);
- 24 were caused by a misadventure of some sort with paper records;
- 14 resulted from data being electronically sent (e.g. email or fax) to the wrong recipient;
- 12 came from an application or website issue;
- 4 were categorised under "other".
The UK's Information Commissioner (ICO) lists the actions he has taken against individuals or organisations found to have been in breach of the UK Data Protection Act. I did an analysis of the incidents for the year 2011. The main purpose is to analyze the causes of these incidents to gather metrics.
I divided the incidents into 5 categories:
- Unencrypted Media - this includes such items as loss or theft of unencrypted media such as USB sticks or laptops.
- Loss of Paper Records - including incidents where physical documents are misplaced, lost, found in a waste bin, or similar.
- Electronic Records Missent - where personal data is sent electronically to the wrong recipient using either email or FAX
- Website/Application Issue - where the action results from some sort of application or website issue.
- Other - which did not fit into any other category
The following table shows the results:
|Loss of Paper Records
|Electronic Records Missent
The ICO does not usually say whether an actual loss occured as a result of any incident. There are a number of incidents where you get two for the price of one. For example a laptop is stolen along with paper records.
The results show that the majority of incidents have relatively simple or mundane causes. Advanced hacking techniques were generally not employed. The lessons to be taken from this analysis are that basic security measures will prevent the majority of these incidents:
- Security awareness training to reinforce the message that people should be careful when pressing the send button.
- Do not use USB sticks
- Encrypt laptops (and USB sticks if they must be used)
There is a spreadsheet on Google Docs of the analysis (See Useful Links)
I did a similar type analysis of ICO enforcements in 2010 (See Useful Links)
- ICO: Taking Action - Undertakings, Enforcements and Monetary Penalties
- UK Information Commissioner (ICO) Enforcements and Website Hacks (Entry on this blog)
- ICOTakingAction - Google Docs Spreadsheet analysis of results