If your organization is pointing a finger at cloud services for security liabilities, y'all might want to take a look at the three fingers pointing back. Some enterprises have only themselves to blame for security woes.
At least that's one potential takeaway from figures posted by the
Privacy Rights Clearinghouse (PRC), a consumer advocacy group that tracks data breaches in the US. So far in 2012, it looks like a large number of online privacy violations can be laid at the doorsteps of financial services and insurance firms; educational institutions; and government agencies, particularly at the state level.
Let's get to the details: This year, the nonprofit PRC's research shows that 19,114,009 records have been breached in 447 incidents. Of those, 45 percent, or 8,677,588 records in 72 incidents, were attributed to unintended disclosure, defined by PRC as "Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail."
Another 7,027,673 records in seven incidents were breached as a result of what PRC calls payment card fraud, defined by the organization as "Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals."
So in total, 82 percent of this year's breaches occurred as a result of these causes -- actual hacking; insider malfeasance; and the loss of physical, portable, or stationary devices containing important data account for the rest of the losses.
Analyzing these data breaches further, PRC shows that the majority of records lost via unintended disclosure of data were related to incidents in the sectors of government (nearly all at the state or municipal level), educational institutions, and financial/insurance service businesses. While the healthcare sector showed many incidents, the actual number of records breached was smaller than what was lost by these three top sectors.
Table 1: Data Breaches Due to Unintended Disclosures, 2012
| Organization Type
|| Number of records breached
|| Number of incidents
|Government and military
|Businesses (financial and insurance services)
Interestingly, in May of 2012, Gartner analysts
that use of cloud services in government could be considered "moderate," mainly involving "private cloud, email, and some SaaS." Insurance companies are also moderate users, mainly deploying clouds for "noncore applications and limited SaaS for vertical solutions."
Can cloud services be blamed for security problems within these sectors? That's certainly open to question. Indeed, considering the propensity for both government and insurance organizations to flub data handling, it may be wise for users in these sectors to think twice about using cloud services before addressing inherent security problems.
As for educational institutions, Gartner says these are "heavy" cloud users, deploying cloud for "email, collaborative and back-office SaaS/IaaS." But one has to question whether these schools can properly attribute their security woes to clouds. A visual tally of the source of each breach indicates that at least 11 of 19 were directly attributable to human errors. Here are some examples:
University of Virginia. Human error is attributed to making between 300 and 350 transcripts from Summer Language Institute applicants visible on the campus Website.
Columbia University. A programmer accidentally posted a file containing the names, Social Security numbers, addresses, and bank account numbers of 3,000 total current and former university employees and 500 proprietors for a period between January 2010 and March 2012. It appears that the file was not accessed anytime between January 2010 to March 10, 2012.
University of Alabama. Social Security numbers and academic records were accidentally posted to the campus Website, affecting 8,000 undergraduates who attended the school between 1995 and 2006.
None of my conclusions can be considered scientific. And at press time, Gartner report co-author Daryl C. Plummer had not responded to my phone or email requests for further clarification. Still, what emerges from my armchair research causes this observer to look twice at fingers pointing to the cloud as a security liability.
— Mary Jander , Executive Editor, Internet Evolution