Financial Firms Losing Data

Which would be more likely to suffer data theft, a university or financial institution?

If you've been reading the news lately, you probably said "university." But in New York, it's a different story. Nearly half of the 64 data breach incidents reported in the state between March and May of this year were by financial institutions and insurance companies -- not educational institutions, according to a researcher who's gathering the data. Only three of the 64 incidents were reported by schools, he says.

Interestingly, most of the financial institutions' breaches weren't driven by hackers, says Chris Walsh, an information security architect who is independently researching breach trends using data from New York. "About two thirds of them reported a lost computer, and that's not counting lost tapes."

Over the past few months, Walsh has requested and received hundreds of pages of data breach reports from New York under the Freedom of Information Act (FOIA). New York requires organizations that suffer such data losses to report them to the state's attorney general, consumer protection board, and cybersecurity authorities.

Walsh concedes that any analysis of this preliminary data is premature. But he also says he was surprised that lost or stolen laptops were the main source of data breaches, rather than good old-fashioned hacking. "It seems like an awful lot more stolen laptops here."

A former student of the social sciences, as well as a self-proclaimed former Unix geek, Walsh says he's naturally drawn to this kind of research data. He plans to continue tracking, scanning, and analyzing additional data breach reports to New York and other reputable publicly available sources and then publish the information in a database. "I could have 400 to 500 of these" reports after a year, he says, and the idea is to provide the data to the academic research community.

— Kelly Jackson Higgins, Senior Editor, Dark Reading