Stephen A. Weis

Home · Bibliography · Experience · Software · Crypto Course · Java Course · HB+ · OSF Data Analysis

Analysis of OSF's Breach Data

These graphs were produced from the Open Security Foundation's Dataloss Database in July 2008. OSF's entire CSV database of data breach incidents is available for download on their site. Verizon's 2008 Data Breach Investigation Report may also be of interest. Some quick observations:

Over 80% of leaked credit card records were from external hacking incidents.
An astonishing 20% of all of the card leaks that OSF has reported were from a single incident: CD Universe. Universities cumulatively account for about 15% of the credit cards leaked in the last 8 years.
Malicious insiders accounted for 16% of leaked records. However, each incident of malicious insider attack leaked nearly 3 times the number of records as outside attacks. Not surprisingly, malicious insiders are rarer, but get more bang for their buck.
Over 82% of Social Security numbers lost were through lost or stolen media or computers, and 13% of the time through hacking or fraud.
In contrast names, addresses or phone numbers were only leaked 42% of the time through lost or stolen media and 64% of the time through hacking or fraud. One explanation might be that names, addresses, or phone numbers are more often stored with credit card numbers, which are the targets of external attacks.
Accidental disclosures only accounted for 2.3% of all overall records leaked.
Within accidental disclosures, 36% were due to improper disposal of media or computers. Surprisingly, 30% were due to leaks via snail mail.

Breakdown of Attack Type by Source Incidents by Source Total Records Leaked by Source Average Records Leaked per Incident by Source Records Leaked by Attack Records Accidentally Disclosed by Attack Records Leaked by Outside Atttack Type Credit Card Numbers Disclosed by Attack CCNs Disclosed by External Attack by Source SSNs Disclosed by Attack Name/Address/Phone Disclosed by Attack

email: sw @ saweis dot net