Home > Data Loss, PHI, PII, Privacy Laws > Repeat Data Loss Offenders…

Repeat Data Loss Offenders…

I was doing some data mining this week on the excellent DataLossDB.com site and it occurred to me to dig a little deeper into where the risky places to give your PII/PHI to are. I was hoping to find that some segments are cleaning up their act, but it seems not. The fact we’re seeing multiple entries by people could have two possible meanings:

a) The cost of protecting us is more than the penalties imposed for data loss
b) The threats and risks are increasing faster than technology and user education can cater for them.

I’ll let you decide based on your experience which of the two is going on, but either way, this highlights that constant vigilance is key, and as I say every time I present, Data Protection is not a static experience – It needs to be a mindset shared top to bottom in an organisation. Only by having an evolving process can you hope to stay above water. Remember, at best guess 80% of the fortune 5000 have minimal, or no data protection solutions in place, even though there are around 250 regulations requiring such.

So who are the top repeat offenders? Below is the list of organizations who have reported 6 or more data loss incidents so far. Of course, this may be skewed by people doing business, or reporting under several different names, but it gives you an idea of the size of the problem.

  1. LPL Financial (11)
  2. Experian (10)
  3. Bank of America (9)
  4. University of Iowa (8)
  5. Pfizer (8)
  6. UK Ministry of Justice (8)
  7. Hunter College of the City University of New York (8)
  8. LexisNexis (8)
  9. Merrill Lynch (6)
  10. Nationwide Mutual Insurance (6)
  11. New York Life Insurance Co (6)
  12. The Foreign and Commonwealth Office (6)
  13. University of Florida (6)
  14. Wells Fargo (6)

Here’s a breakdown and my comments for the four main markets – Education, Health, Government and Business.

Medical – 12% of all reported breaches.

Some recent people notifying us of breaches include Penrose Hospital,Kern Medical Center, Akron Children’s Hospital, Trulife, Prompt Med, Alberta Health Services Edmonton, Sutter Health, Salford Royal NHS Foundation Trust.

Lots of people reporting more than once, the big offenders are :

  • Blue Cross Blue Shield NC (3) Blue Cross Generally (7)
  • Kaiser Permanente(5)
  • Aetna Inc.(4)

Government – 19% of all reported breaches.

Some recent names: Socorro County Housing Authority, Cincinnati Metropolitan Housing Authority, Cuyahoga County, Ohio ,Worthing Borough Council, Iowa Secretary of State, Colorado Department of Corrections, New Hampshire Department of Corrections,United States Army National Guard, The Highland Council, United Kingdom Ministry of Defence

Lots of names appear more than once surprisingly, for example:

  • New York State government (12)
  • The Foreign and Commonwealth Office (5)
  • California Department of Consumer Affairs (a supposed supporter of data privacy) (2)

Education – 21% of all reported breaches.

Some recent names include Memorial University of Newfoundland, University of North Carolina, Eastern Kentucky University, University of Florida, Bluegrass Community and Technical College, University of Massachusetts at Amherst (UMASS), Boston University Army Reserve Officers Training Corps

Interestingly some names keep appearing:

  • University of Iowa (9)
  • Hunter College of the City University of New York (6)
  • University of California San Francisco (5)

Many of the listed Edu’s have more than one breach reported – indicating they are perhaps not learning anything (or don’t care).

Business – 48% of all reported breaches.

Some recent names include AlixPartners LLP, Rocky Mountain Bank, Jones General Store, Mitsubishi Corporation, Fasco Machine Company, Guardsmark, Radisson Hotels & Resorts, Sun Valley Mortgage, Calhoun Area Career Center

While the lions share of reported records, there are also a lot of people repeat-offending, for example:

  • AT&T(4)
  • ADP (5)
  • Bank Of America (9)
  • CitiBank/Group (6)
  • Countrywide Home Loans (5)
  • Equifax Inc.(8)
  • Experian (10)
  • LPL Financial (12)
  • Wells Fargo (6)
Categories: Data Loss, PHI, PII, Privacy Laws Tags: , ,
  1. October 2, 2009 at 10:02

    I am actually surprised to see some of the names you listed here a good number of them are using a well known and effective Total Protection for Data software suite. It really drives home the need for a strong data protection policy to better utilize the tools put in place to protect sensitive data.

  2. Simon Hunt
    October 2, 2009 at 10:34

    One thing my quick analysis did not take into account is the time of the last report. I hope to get around to that in the next month or so – Obviously there’s a big difference between someone reporting multiple incidents with the latest being recent, and someone who had lots of incidents in the past, but has not had to report for a year or so.

  1. October 22, 2009 at 13:18

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: