Sunday, 8 March 2015

Data Theft - Some Facts

One of the really interesting things about data theft is that it largely goes unreported. What company in their right mind would want to publicise that their customer data has been stolen? How would you feel if your GP called (as they will have to soon do under Australian law) to let you know that all your medical and contact information had been stolen? Not very good.

In fact when we notified effected patients their information had been compromised by ex-employees our reception staff received hundreds of abusive phone calls (and txt's) in the weeks following the theft. Under the guidelines of the OAIC we notified patients within 2 hours of the theft. All the notification did was drive patients away from the medical centre.

These employee data thieves provided their login to a hacker to access and steal sensitive patient information, however, as far as patients were concerned, we had let them down. Reporting the data theft and those responsible to Police, OAIC, APHRA and the HCCC was an absolute waste of time. They did nothing except respond that it was a "commercial matter" and would need to be sorted out in the civil courts. A recent civil case took over three years to get to a hearing in the Supreme Court and over 14 months to get judgement. Civil courts is not a solution nor is it a deterrent that will stop insiders stealing your customer lists or IP.

Getting stats about data theft is quite hard, and there’s hardly any for Australia. But there is some information and it’s pretty shocking.

It is estimated that data theft costs $250 billion in the USA.
  • 14% of breaches were perpetrated by insiders with 7% involving multiple parties
  • 20% of data theft hit information and professional services firms
  • 50% of companies surveyed by the Carnegie Mellon Software Engineering Institute experienced at least one data breech by an insider in the previous year.
  • 59% of employees who quit or leave admitted to taking confidential or sensitive information
  • 62% of employees think it’s acceptable to transfer corporate data to their PCs, tablets, smartphone or cloud sharing application without seeking approval.
  • 90% of IT employees indicated that they would take sensitive data if they were fired.
Now I don’t mean to disparage IT employees specifically or employees generally but the facts are clear. Data theft is rife and it’s happening across all businesses at much higher rates than anyone is really aware because it’s so hard to find the information. Verizon releases a data breach investigations report annually, as do a range of other institutions and organisations.

So, don’t kid yourself that it’s not happening much, or not happening much in your business sector, or to your type of business. The simple fact is, that it is and you need to understand it in order to minimise your risk.

There are some pointers on my website to some of the basic things you can do to minimise your risk so have a look.

If its happened to you, send us your story.