Data breaches: 2007 IT failure superstar

Data breaches: 2007 IT failure superstar

Summary: Data breaches represented the most important category of IT failure during 2007.The year 2007 saw spectacular failures, ranging from improperly-paid teachers at Arizona State University (ASU) and the Los Angeles Unified School District (LAUSD), to a massive implementation problem at the UK National Health Service (NHS), which one observer called the "greatest IT disaster in history.

SHARE:
TOPICS: Data Centers, CXO
2

Data breaches represented the most important category of IT failure during 2007.

The year 2007 saw spectacular failures, ranging from improperly-paid teachers at Arizona State University (ASU) and the Los Angeles Unified School District (LAUSD), to a massive implementation problem at the UK National Health Service (NHS), which one observer called the "greatest IT disaster in history." Despite the impact of these high-profile failures on victims, the number of people affected is minuscule compared to the cumulative effect of data breaches.

The Privacy Rights Clearinghouse conservatively estimates over 216 million privacy records were breached in the period 2005-2007, in the United States alone. According to attrition.org, which maintains a database that researchers can download to conduct their own analysis, approximately 165 million records were compromised during 2007. While most breaches occurred in the US, incidents were also reported in Australia, Canada, Germany, UK, Japan, Netherlands, Norway, and Sweden.

The downloadable attrition.org database lists the following causes for data breaches during 2007:

  • Improper document disposal
  • Fraud
  • Hacking
  • Lost computers and disk drives
  • Lost and stolen media and tapes
  • Lost postal mail
  • Web breaches

Unlike ordinary IT failures, which generally affect a relatively bounded group, such as employees of a particular company, even a single breach can put millions of people at risk and cut across every segment of society.

The recent loss of two data discs belonging to UK Revenue and Customs (HMRC) is a case in point. The loss of these discs, which contained personal information belonging to 25 million people, affected every family in the UK with a child under the age of 16. The scope of this breach was such that the British prime minister was forced to apologize.

Stopping data breaches will likely be far more difficult than preventing IT failures, which can be controlled by applying improved implementation methodologies and processes. Many breaches, such as the HMRC case, ultimately arise because organizations do not recognize the true value of the data under their protection. As we all know, changing such deeply held attitudes in any organization is usually a long-term project.

Given these attitudes, improving the worldwide data breach situation will require a combination of top down change and government regulation:

  • Senior leaders from both private companies and government agencies must treat data protection policies as strategic and devote resources at a level commensurate with this status. Bringing forth such a cultural change in attitudes toward custodial data will take years.
  • Governments should demand stiff penalties from organizations that lose personal data, regardless of how that data is lost. In addition, regulators should enforce more timely public disclosure, and increased transparency, whenever breaches occur.

Although these steps will reduce the prevalence of data breaches, we are likely to see many more in 2008.

Topics: Data Centers, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • DATA BREACHES ARE HERE TO STAY

    Intersting, one of today's top news items put out by the AP, is "Data Breaches Hit Record in 2007."

    As I said before, the personal data of employees and the public has *value* only to that person unless a company's product is data on individuals. Look at all the effort (and $) that has done into DRM and other anti-theft solutions. I think if they committed to data breach solutions and prevention as they do to theft of product or IP, then people might not be so hard on companies.

    I'm afraid to say it, but companies won't take data breach seriously unless companies experience the type of bottom-line pain that is comparable to the loss due to product theft. Embarrassment is over data breach is fleeting.
    elizab
  • RE: Data breaches: 2007 IT failure superstar

    The data breaches in 2007 has seen is just the beginning, We will be having more entertainment to talk about when the new Windows 2008 rollout would take place. in any cases there would be a more of a Data Loss than a Breach.
    pawan@...