'datagate' And Other Apocalypses

The Age

Tuesday May 29, 2007

Nick Miller

Research into data loss, unfortunately, is usually undertaken by firms with an interest in predicting catastrophe.

For instance, IT security firm McAfee commissioned research by Datamonitor on "Datagate: the next inevitable corporate disaster?". It was sent to Next, accompanied by a press release revealing McAfee had "announced McAfee Data Loss Prevention, the industry's most comprehensive solution for preventing both accidental and malicious loss of confidential data".

The report was based on a survey of "IT decision-makers at over 1400 large organisations around the world". More than half the companies surveyed had experienced a loss of data. Their estimates of financial damage came to $US1.82 million ($A2.2 million) on average a year. Only 6 per cent could categorically state they had not experienced any data loss.

Almost a quarter of all data loss was from malicious causes, for instance employees stealing company secrets. Another third was intentional but not malicious, for instance copying a confidential legal agreement to a USB drive, to work on it at home.

Stories of significant data loss are almost always from the US:

? 40 million MasterCard and Visa cards compromised in late 2004 by a hacker;

? 26.5 million names, social security numbers and birthdates lost by the US Department of Veterans Affairs in 2005 when a worker's notebook was stolen;

? 1.2 million Bank of America charge cards compromised in 2005 when back-up tapes were lost;

? 240,000 subscribers to the Boston Globe had their credit card details exposed in 2005 when DVDs and computer equipment were stolen by a former worker.

There is little corresponding data in Australia. Our country has no laws corresponding to - for example - California's 2003 law requiring companies to tell customers of a security breach involving their personal information such as social security, driver's licence or credit card numbers. Other US states and countries including Norway, Hungary, Sweden and Germany, have similar laws.

McAfee's report found that enterprises in Britain and Australia reported the least data leakage - but Australia had by far the largest proportion of respondents who answered "don't know" to the question "approximately how often have data leaks occurred in the last two years?".

According to the Australian Bureau of Statistics, more than 1.6 million computers went into landfill last year, with the same number put into storage, joining the 5.3 million already gathering dust in garages and warehouses. However, a 2006 survey found only 18 per cent of IT professionals use data deletion products to wipe hard drives earmarked for disposal.

This only suggests data loss. Much better data comes out of the US. A new, independent study due to appear in the Journal of Computer-Mediated Communication later this year found that more than 1.9 billion records were exposed between 1980 and 2006, or an average of nine records for every US citizen.

After new reporting laws came in there were more reported incidents in 2005 and 2006 than all the previous years combined.

The paper suggests that hackers are the "folk devils" that usually get blamed. However, they account for less than half of the data loss events: 60 per cent involved organisational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost back-up tapes or other administrative errors.

"While businesses have long been the primary organisations hemorrhaging personal records, colleges and universities are increasingly implicated," the report found.