Network News

X My Profile
View More Activity

8.3 Million Records Spilled in Data Breaches This Year

At least 8.3 million personal and financial records of consumers were potentially compromised by data spills or breaches at businesses, universities and government agencies in the first quarter of 2008, according to statistics released today.

The San Diego based Identity Theft Resource Center said it tracked public reports of 167 data breaches in the first three months of this year. The center recorded 448 data breaches total in 2007. A detailed breakdown of the incidents in 1Q of 2008 is available here (PDF) and the overall 2007 statistics can be downloaded here (PDF).

Roughly 4.2 million of the breached records were the result of digital intrusions at the Hannaford Bros. supermarket chain disclosed last month.

Overall, businesses were responsible for roughly 36 percent of the data breaches or spills, followed by schools and universities (25 percent), government and military (18 percent), medical/health care (14 percent) and banking and financial (7 percent). More details on the industry breakdown are available here (PDF).

While the center doesn't break its numbers down by data loss type, a review of the data from the first quarter of the year suggests that only about 13 percent of the breaches were the result of an outside hacker gaining unauthorized access to consumer records over the Internet. According to a tally by Security Fix, 21 hacking incidents in the first three months of this year compromised at least 4,624,005 personal and financial records (again, the Hannaford breach accounts for the majority of those compromised records).

Most of the data spills in 1Q 2008 appear to have resulted from lost or stolen laptops, hard drives or thumb drives. Insider access and the inadvertent posting of sensitive data to a Web site or through e-mail also were cited frequently throughout the report.

A few caveats about the number of breached records are in order. First, in 66 of the 167 data breaches detailed in this report - 40 percent of the cases -- the organizations involved have not disclosed how many records might have been compromised. Nor do the affected organizations which have disclosed that data typically say how many individual consumers were affected.

The number of cases in which organizations report or acknowledge a data breach but offer no estimates of the number of victims appears to be increasing (although, I should note here that the ID Theft Resource Center's data is based largely on media reports about the incidents). In all of 2007, affected organizations didn't say how many records were potentially affected in 138 of the 446 recorded breaches, or in roughly 31 percent of the cases.

Linda Foley, the ID Theft Resource Center's founder, said it's unclear what's behind the increase in data loss reports this year, whether it's a greater number of states with laws mandating data breach disclosures, a larger number of breaches or a combination of the two. Nationwide, 39 states and the District of Columbia have laws on the books requiring organizations to notify consumers of a data breach that jeopardizes their personal and/or financial data.

"The question of why we are hearing more about data breaches is going to take us a couple of more years to sort out," Foley said. "I think, perhaps in addition to the state [disclosure laws], companies are urged on a bit by the fear of the media taking the story and releasing it rather than the companies themselves getting a chance to the spin the news."

By Brian Krebs  |  April 2, 2008; 3:00 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: April Fool's Day Warning, And Some Fun
Next: Apple Issues QuickTime Update for Mac, Windows


It's not clear to me in what category you are putting the Hannaford incidents.

I thought they took place when clerks used customers' cards to pay for groceries.


Posted by: Instructor 5 | April 2, 2008 7:03 PM | Report abuse

@Instructor -- The Hannaford breach -- according to the company -- was the result of hackers having installed data-sniffing malware on the machines that transmit the customer's swiped credit/debit card data to the card processor.

Posted by: Bk | April 2, 2008 7:07 PM | Report abuse

How does one "spill" a record? Try "disclose", or use a metaphor that works. "Records spilled" does not work. You know this, and you are a better writer than that.

And how can records be "breached"? Access controls and barriers get breached, yes, but not the items they are protecting. Media have latched onto the word "breach" and have started abusing it with wild abandon; one wonders whether they ever saw the word before these compromises became commonplace. Please don't jump onto this bandwagon of illiterates.

A vault is breached; the gold inside is stolen. A safe is breached; the documents inside are disclosed, stolen, or destroyed.

On the positive side, you didn't mention the nonsense phrase "personally identifiable information" even once. Thank you.

Posted by: aeschylus | April 2, 2008 7:56 PM | Report abuse

All hail the most excellent Aeschylus and his self-imposed usage rules. Get a grip, Dude!

Posted by: Pete from Arlington | April 3, 2008 12:10 PM | Report abuse


If the media are going to write about technical security matters, clear and correct meaning is crucial. By and large, Brian Krebs's writing is exemplary in its clarity and precision, but he occasionally slips.

My grip is firm. Check your own.

Posted by: aeschylus | April 3, 2008 4:55 PM | Report abuse

Aren't botnets at the root of all this? I mean they sneak into networks and allow the hacker to come back in to install malware/sniffers. They can hide within the thousands of consumer and enterprise bots and run off with "Track 2" credit card data.

Great list of most reported data breaches from 2005-present.

Posted by: Hank | April 4, 2008 7:17 PM | Report abuse

Have you heard of RFID (radio-frequency) interception and a theft called "Wireless Skimming"? (Not to be confused with magnetic stripe skimming.)

RF tagged cards can be door access cards, debit/credit cards, employee badges, store loyalty cards, MiFare cards and the new REAL ID driver's licenses. All of these can be activated while still in your wallet! That RF tag signal can be captured and cloned to be used however the thief wants, and you could be stolen of your time, money and reputation.

Please visit to see the only American made RFID shield that stops the signal, and is not just a filter. Armadillo Dollar products can be customized with your own logo for your security personnel and premier customers!

We hope to educate those who are ahead of the curve in technology, so they can share this with their family and friends!

View our TV interview here!

Thank you!


Posted by: Catherine | April 5, 2008 3:30 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company