Verizon just released its authoritative annual report on data breaches (registration required) and information security. It’s a jaunty, colorful document, packed full of interesting charts and information, if you’re into that sort of thing. (As well as plenty of gags that offer a glimpse into the life of a data-cruncher, such as endnote 11: “Note to self: stop leaving laptop in conference room when walking down to the cafeteria.”)
In its seventh annual report, Verizon used its own data and gathered more from 50 organizations worldwide, many of them big security firms or law enforcement agencies with plenty of insight into data security.
In 2013, there were at least 1,367 confirmed data breaches, according to Verizon, and over 63,000 “security incidents,” which include everything from catastrophic leaks to a breach that “compromises the integrity, confidentiality, or availability of an information asset.” Of those, governments around the world accounted for nearly 13% of confirmed breaches and a whopping 75% of “incidents.”
Where are all these breaches coming from? In a word, “oops.” Of the nine classifications of threats listed by Verizon, which account for over 90% of all incidents, one stands out in the public sector: “Miscellaneous error.”
The public sector is among the worst offenders in mistakenly leaking out data, but it is not the worst. That dubious honor goes to the administrative services across industries. But while administrative errors affect businesses and those that deal with them, the public sector’s leaks are more worrying because of the wide-ranging and personal nature of the data it holds, meaning that mistakes can affect enormous numbers of ordinary citizens.
So why does the government appear to get it wrong so often? The Verizon report explains that the numbers may be misleading, at least in the US:
According to our sample, government organizations frequently deliver non-public information to the wrong recipient…Why is that number so large? The United States federal government is the largest employer in that country, and maintains a massive volume of data on both its employees and constituents, so one can expect a high number of misdelivery incidents. Public data laws and mandatory reporting of security incidents also cover government agencies. Since we have more visibility into government mistakes, it creates the impression that government mistakes happen more frequently than everyone else’s, which may not be the case. This is not unlike the way we see higher numbers of overall breaches in US states that have had disclosure laws on the books the longest.
In other words, the government may not get it wrong more often, but its willingness to admit it makes it look that way. Indeed, a recent survey-based report by ThreatTrack, an information security company, found that nearly 60% of respondents did not disclose data breaches. “Among industries, manufacturing and utility companies were the industries most likely not to disclose a breach, with 79% of respondents admitted to not telling customers, partners or other stakeholders about a compromise,” the report said. For what it’s worth, manufacturing and utilities accounted for a total of 0.6% of unconfirmed breaches recorded by Verizon.