The office of the Attorney General of New York has released a report on the 2016 data breaches. The overall number of breaches reported was up 60% compared to 2015, but there were also several noteworthy details in the data:
Personal information loss
We tend to think of corporate breaches as involving business data, but in the end, it’s usually personal. The New York breaches had exposed records of 1.6 million New Yorkers. In fact, personal information constituted over 98% of all data stolen, with Social Security Numbers (46%) and financial/payment information (35%) topping the list.
3rd-party vendor risk
When we as consumers deal with a large bank or healthcare provider, we tend to assume that our information is protected to a higher standard than at a smaller company. While this is probably generally true, we tend to forget that these large service providers rely on numerous partners and suppliers, and our data may often land in their hands, outside the firewalls and the reach of intrusion detection systems of the companies we actually deal with.
New York’s breach report illustrates the security risks inherent in the supplier/partner channel. A single breach of Newkirk Products, Inc., yielded a loss of almost half of all personal records lost in 2016 in New York. Newkirk supplies insurance ID cards to the Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc., as well as other healthcare plan providers across the US.
What insider threat?
There has been a lot of hype in the security industry lately around the idea of “insider threat” – the notion that someone inside the company may intentionally compromise the security of information. New York’s breach data shows that the insider threat is definitely real, but is considerably less prominent across the overall threat landscape. Insider wrongdoing was the cause of only around 8% of the NY breaches, while external breaches were at 40%.
It’s worth noting, though, that when combined with employee negligence and device loss (which I would consider to be process vulnerabilities rather than threats), employee-caused breaches almost tie with external breaches at 37%.