Network News

X My Profile
View More Activity

Study Analyzes 16 Months of Data Breaches

A new report on consumer data breaches recorded over the past 16 months indicates that hacking remains the most frequent source of data theft and loss, with breaches reported by educational institutions making up 43 percent of all reported data thefts or losses.

The study was conducted by the AARP (formerly the American Association of Retired Persons) using data from 244 breaches reported from Jan. 1, 2005, through May 26, 2006. The data was compiled from publicly disclosed security breaches involving information that collectively involved nearly 90 million people, as compiled by the Identity Theft Resource Center, a San Diego-based nonprofit organization.

The study found that criminal hacking was responsible for one-third of all reported breaches, while physical theft of laptops and other data storage media accounted for 29 percent. Twenty-three percent of breaches were the result of sensitive consumer information being improperly displayed, such as on a public Web site. Roughly 7 percent of breaches were caused by employees stealing or selling personal data, while just 2 percent resulted from back-up tapes being lost.

Colleges and universities were more than twice as likely to report a breach as any other entity, followed by government agencies (17 percent) and businesses (15 percent). While educational institutions reported the most largest number of breaches, the total number of potential identity fraud victims of those breaches was just over 3.6 million, far less than the number of potential victims of data breaches, thefts or losses at financial institutions (47 million) and government entities (34.1 million).

According to the study, that statistic holds true even without the two biggest incidents that contributed to those numbers -- the database breach at now-defunct credit card processor CardSystems that jeopardized roughly 40 million credit card accounts, as well as the theft of a laptop from the Department of Veterans Affairs, which contained sensitive data on more than 26 million Americans (the laptop was later recovered).

Taking away those two huge incidents, breaches from insider access and lost back-up tapes accounted for the greatest number of potential victims.

I'll be online today at 11 a.m. ET for my regular Web chat on computer security. Submit a question here.

By Brian Krebs  |  September 1, 2006; 9:31 AM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Using Images to Fight Phishing
Next: Don't Be a Pump-and-Dump Chump


All you people freaking out about "Hijacking a Mac in 60 seconds," just chill! BK reported what he saw, but those folks haven't turned over their info to Apple. So it's unproven. But it's a possibility.

Can we give it a rest, at least until something new develops?

Now, back to THIS ARTICLE:
BK, I think there is a typo in this sentence:
"Taking away those two huge incidents, and breaches from insider access and lost back-up tapes accounted for the greatest number of potential victims."

Posted by: Thomas | September 1, 2006 11:54 AM | Report abuse

Thanks, Thomas. I have fixed that.

Posted by: Bk | September 1, 2006 1:51 PM | Report abuse

This report is amateur hour unfortunately. What is it with AARP and PRC only analyzing data from the beginning of 2005 and completely ignoring the incidents that took place before that?

Why does this report not make a distinction between 'people' and 'records' and qualify that the total may include serious overlap, may actually affect a significantly smaller amount of 'people', and that there are nos tandards in reporting these incidents specifically related to defining what a 'record' really is.

Posted by: AmateurHater | September 1, 2006 5:42 PM | Report abuse

I find many of the discussions on protecting your personal information to be misplaced. Like an airliner that crashes we focus on the spectacular news while ignoring the daily mundane fender benders. Corporations gather our personal data every day and their privacy policies are a joke. "We are committed to protecting your privacy but we will share/sell/rent your data to anyone." I would advocate that we simply prohibit any distribution of personal data by any corporation.

Posted by: Steve R. | September 1, 2006 5:44 PM | Report abuse

Laptop theft is a huge problem, especially in the business realm, even though it doesn't have to be. I've been following many laptop theft stories (this summer's been full of them!) and in many cases simple "common sense" isn't being applied.

Laptops require both physical deterrents AND security software that protects the data within. More security tips from an article on laptop theft:

Posted by: Mila | September 1, 2006 7:34 PM | Report abuse

Educational institutions make up a smaller percentage of the 327 incidents tracked on the open source dataloss database (about 30%):

290 of those were from 2005+, so it seems either attrition is over-reporting, or ITRC is under-reporting. Anybody curious enough to do a comparison of the two lists? That is, if the ITRC even has a public list of their raw data that we can analyze.

Posted by: Jordan | September 2, 2006 12:47 AM | Report abuse

I think the study is a good step forward given the lack of data on such breaches. It is what it is and the author makes it quite clear that this only includes publicly disclosed data breaches 16 months of data is quite good since there is no way to track breaches that occured prior to the California law making such notification manditory.

How can you possibly tell the difference between records and individuals? It's not like you can keep a list of the names of the victims from each breach in some central database to cross check.

Any 'experts' out there that can come up with this information should step forward and provide an analysis of the information instead of criticizing those that are working in the trenches to help understand what is happening with data breaches.

Posted by: DieKel9 | September 2, 2006 12:14 PM | Report abuse

Ok, so you've encrypted the laptop, and la-di-da you let your employee take it home. If that laptop is stolen, can you prove it was encrypted. No, not unless you have some kind of audit trail and centralized management in place. I've posted a couple of presentations on that address this problem and show some solutions. View them at

Posted by: Paul Misner | September 4, 2006 8:57 PM | Report abuse


The Attrition list contains virtually every breach listed in the sources used by AARP. I compared the ITRC lists for 2005 and 2006 to Attrition's list back before it was a publicly-available CSV file, and IIRC there were fewer than 5 breaches Attrition didn't know about. Not perfect, but darn good for "amateurs".

As for the professional angle, I don't know what a professional breach expert is, but NY and North Carolina mandate central reporting of these events to government agencies, so in that sense these are people who get paid to maintain such lists. I have reports from both, obtained via FOIA requests, and the Attrition list does a pretty good job. Cases known by these states that are not in the Attrition list are probably no more than a dozen or so, tops. The lack of completeness will be remedied as soon as I report the (few) omissions to Attrition. It is difficult to know whether these state lists are any more complete than Attrition's, however, since only breaches affecting these states' residents must be reported, and Attrition has no way of knowing whether any of the breaches they list affect NY or NC.

Posted by: Chris Walsh | September 12, 2006 10:59 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company