Network News

X My Profile
View More Activity
Posted at 8:00 AM ET, 06/30/2008

Data Breach Reports Up 69 Percent in 2008

By Brian Krebs

Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts.

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

While the share of breaches due to data on the move fell nearly eight percent from last year, that slack was picked up by insider theft. Data breaches due to information stolen by someone inside the company increased from just six percent of the total in 2007 to nearly 16 percent so far this year. Another 13.5 percent of breaches came from subcontractors who lost or stole their clients' customer data.

The 342 breaches the ITRC studied from this year involved almost 17 million consumer records. But ITRC founder Linda Foley said the true number of records jeopardized by those breaches is likely far higher, because in nearly 40 percent of the breaches the affected entity has not yet disclosed how many consumer records were lost or stolen.

Some 44 states and the District of Columbia now have laws requiring entities that suffer a data loss or breach to alert affected consumers (according to the ITRC, the states without data breach notification laws are Alaska, Alabama, Iowa, Kentucky, Mississippi and South Dakota). But Foley said only three states -- Maryland, New Hampshire and Wisconsin - require reporting to state officials and routinely publish that information online.

Breach notices filed with those three states have in many cases amounted to the first public disclosure of data breaches, but they also expose the gaps in those disclosure laws, Foley said.

On June 9, for example, the United Transportation Union Insurance Association notified the Maryland Attorney General that the loss of an undisclosed number of laptops jeopardized the names and Social Security numbers of 394 Maryland residents. However, the association has not yet said how many consumer records from all states were included on the missing laptops.

On May 8, Saks Inc. notified Maryland that the theft of four laptops had resulted in the loss of the name, address and Saks Fifth Avenue credit card numbers belonging to 2,391 Maryland residents. Saks similarly told the New Hampshire Attorney General's office that the breach affected 163 of that state's residents. Saks has not yet said how many customers nationwide may have been impacted by the lost laptops.

While a data breach may be reported as a single incident, it often masks the true number of institutions affected by the incident. This is most often the case with contractor breaches, such as one first publicly reported to the Maryland Attorney General's office on June 13. That notification was sent by attorneys for technology news media outlet CNET Networks, who said they were told that computer equipment stolen from Colt Express Outsourcing Services Inc., a California company that administers benefit plans to businesses across the country, resulted in the loss of records bearing the names, dates of birth and Social Security numbers of 6,500 CNET current and former employees and dependents.

Colt officials have declined to say how many total consumer records may have been affected, but several other businesses have reported receiving notifications from Colt over the past few weeks.

"It's a little like if you see a major pileup on the freeway, there's that one car that caused the whole accident, and then there are bunch of other innocent third parties that are affected due to the domino effect," Foley said.

By Brian Krebs  | June 30, 2008; 8:00 AM ET
Categories:  Fraud, From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Taming Internet Explorer Browser Plug-Ins
Next: Forty Percent of Web Users Surf With Unsafe Browsers


most breaches of confidential information are intentional,not accidental. someone somewhere is unhappy with their situation and wants to bring battention to it. we have too many people who need to move on with their life instead of dwelling in pity and unhappiness. you can change,but you must also adapt.

Posted by: yosh n | June 30, 2008 10:41 AM | Report abuse

Ever think that maybe the number is going up because industry is just now investing the money they should have years ago, to track and prevent these things?

Its like saying that the number of tornados are increasing....

No... Its that we are now able to track them easier with technology because we got off our lazy butts and invested in the technology.

Same story, different subject.

Posted by: Think | June 30, 2008 11:12 AM | Report abuse

@Think -- Hence the headline: Data Breach Reports.....

Posted by: Bk | June 30, 2008 11:24 AM | Report abuse

I believe the numbers are much higher. These number are just what people know or willing to report on, but not what actually happens.

Data theft by Malware is much higher than this report.

Posted by: t | June 30, 2008 11:26 AM | Report abuse

The numbers are likely much lower than reported as all breaches are not required to be reported. Our company regularly handles breach recovery for organizations that had data on 5-15 people lost. These breaches rarely make headlines and are not required to be reported and they happen every week by the dozens that we see.
While this may paint a bleak picture there are some rays of light on the horizon within the new Federal Red Flags Amendment to the FACT act. the new requirements call for the following to be implemented by all financial institutions prior to November 1st,2008:

1) Conduct comprehensive risk assessment
2) Create a Policy and Procedures Manual to combat ID Fraud
3) Train all employees on the new policies
4) Employ and Anti-Phishing solution that not only identities fake sites through continuous monitoring but also has the ability to take down fraudulent sites
5) Authenticate customers identities applying for loans and other accounts. this goes beyond the standard two forms of ID which we all know now can be easily faked or stolen
6) Address change verification
7) Provide an ID Theft solution for all consumer accounts

This means financial institutions will be partnering with cutting edge technology companies such as Secure Identity Systems to shore up security and reduce the criminal gain opportunity which in turn can finally begin to reduce the crime itself.

Posted by: Bryan | June 30, 2008 12:22 PM | Report abuse

There is absolutely no possible justification for Employee or Customer data being on a LAP TOP unless it is encrypted. Even then, its a highly questionable practice. It should be a criminal offense to have such personnel data in a non-secured location (i.e. Lap top) unless it is encrypted.

Posted by: Muddy | June 30, 2008 1:21 PM | Report abuse

Following the link(s): What a can of worms! These 'incidents' cause a world of paperwork for both the consumer(s) and affected companies, costing a lot of money and man hours- just to TRY to protect the affected persons/companies.
Upon apprehension of the guilty parties, they should be fined, wherever possible, into bankrupty (without the bankruptcy protections), and published in all major news orginazations.

Posted by: PeteBB | June 30, 2008 1:34 PM | Report abuse

Timely article. Especially in light of the Montgomery Ward (owned by Direct Marketing Services Inc) breach, where the company still hasn't notified all of its customers of a breach that occurred back in Dec.!!

Posted by: SPatch | June 30, 2008 2:58 PM | Report abuse

The posting @ Bryan, 12:22pm is SPAM. I'm posting this only after 4 failed attempts to email the notification system

Posted by: kfritz | June 30, 2008 3:40 PM | Report abuse

Brian: Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, we drown in breach notices, many of which are insignificant. --Ben

Posted by: Benjamin Wright | July 1, 2008 7:15 PM | Report abuse

Not too long ago someone contacted me asking me to forword $1000 in hopes of getting information on my banking institution and told me if i did not comply that he would dig up dirt that would not go away easily. They said i could losse my home, car or any investments I. had I was kind of scared
at first when he sent me a copy of my W2 forms. I was in shock; how could someone get my W2 forms? Any suggestions?

Posted by: Jack | July 10, 2008 4:26 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2013 The Washington Post Company