A study released by J. Campana & Associates indicates that data breaches reported in the US may be under-reported by a factor of 100.
The report examines how information has been compromised in the private, public and volunteer sectors from 2005-2008. The report, which shows the risk factors of data breaches per sector, indicates that the vast majority of data breaches reported are from medium and large enterprises. However, these enterprises may be dwarfed by the smaller entities not reporting data breaches.
These smaller entities, with significantly less resources and governance, are highly vulnerable to data loss and may not have the ability to detect or report breaches that do occur. Additionally, mishandling of physical documentation (vs data) often goes without report. The author suggests that the 1,100 reported data breaches may be as high as 110,000 in reality.
"For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years."
The data also indicates that though the private sector makes up 94% of all enterprises in the US, it only accounts for 37% of the reported data breaches. The public sector accounts for 55% of all breaches. The major breach type in most sectors involved laptops. 60% of all breaches involve the loss, theft and improper disposal of computers and other devices.
Large data breaches, the "mega breaches", accounted for less than 2.5% of the 1,100 breaches. However, these breaches accounted for 85% (230 million) of all profiles compromised. The author of the report points out that sensational data breaches are alarming, but we need to be just as concerned with the average data breach, what it looks like, how to detect it, and how to prevent it.