Network News

X My Profile
View More Activity

Report: Data Breaches Expose About 30M Records in '08

U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.

The Identity Theft Resource Center, of San Diego, found that this year's data breach tally has easily eclipsed 2007's 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008.

About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center 's 2008 Breach List (PDF).

Some 30 million records on consumers have been exposed so far this year. But experts say that figure almost certainly masks a much larger problem, as there is currently no federal requirement for organizations that experience a data breach or loss to acknowledge precisely how many consumers nationwide may have been affected.

Resource center founder Linda Foley said it's not clear whether there are more breaches, if organizations are getting better at detecting them or if more organizations are simply complying with state data breach notification laws.

At least 40 states now require entities to alert consumers in their states when a data breach has placed residents' personal and financial data at risk of exposure. Yet, in nearly 42 percent of the breaches reported this year, affected entities have not divulged the total number of Americans potentially at risk from the incidents, Foley said.

Consider the breaches that the Identity Theft Resource Center tallied last year: In 2007, 446 incidents exposed more than 127 million consumer records. Yet in 40 percent of those cases, the entities that experienced the breach did not say how many records were affected nationwide. A single omission can skew the numbers dramatically. Nearly three-quarters of those 127 million records were attributable to a single data breach: that of TJX Inc., which operates T.J. Maxx stores, among others.

What's more, the resource center counts breaches by contractors as a single incident, even when the breach affects a large number of the contractor's clients. For example, Bank of New York Mellon in February said it had lost backup tapes containing names, addresses, birth dates and Social Security numbers on roughly 4.5 million Americans. Following an investigation by Connecticut authorities, the bank acknowledged that as many as 12.5 million records may have been lost. Since the institution administers investment plans for a number of companies, even people who had no direct relationship with the bank received notices from the institution that their personal data was compromised.

"We get calls all the time from people who receive a breach notice from a company they've never done business with directly," Foley said. "Companies that collect information on behalf of other organizations need to take extreme security measures because they have a lot more information at stake."

More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent). Breaches attributed to the military or state and federal government declined for the third year running, down from a quarter of all breaches last year to just 16 percent in 2008.

Organizations reported that hacking (13.4 percent) and insider theft (16.5 percent) were the cause of nearly one-third of all breaches this year. Lost or stolen laptops and other digital media storage accounted for 20 percent of breaches, with another 14 percent blamed on accidental exposure, such as the posting of Social Security numbers and other data to a public Web site.

By Brian Krebs  |  October 6, 2008; 12:01 AM ET
Categories:  Fraud , From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New State Laws Target Data Encryption, RFID Tracking
Next: Spammers Favor Obama Over McCain 7 to 1

Comments

As Brian notes, the actual number is much higher as companies are not reporting the number of victims.
Yet, Stuart K. Pratt, President and CEO of the Consumer Data Industry Association, recently cited the ITRC study in a letter to the editor of the Orlando Sentinel as an indication that identity theft is declining.
This attempt by some, like Mr. Pratt, to mislead Americans about the continuing ID theft threat and the insecurity of information contained in government and corporate databases should not go unchallenged.

Posted by: Rob Douglas - InsideIDTheft.info | October 6, 2008 12:39 PM | Report abuse

We've seen these incidents enough that I wonder how seriously security is taken. Do we know how many of these involved non-encrypted record loss? It really seems careless if these organizations aren't encrypting hard disk and record level data. They should also implement solutions that limit access to entire datasets to more of a "need to know" system (avoid "insider" data theft). Policies on laptop data (in addition to encryption) should limit (or prohibit) records unless it is legitimately needed.

Posted by: Jim_Maryland | October 6, 2008 2:08 PM | Report abuse

"... with another 14 percent blamed on accidental exposure ..."

"... Lost or stolen laptops and other digital media storage accounted for 20 percent of breaches ..."

Hacking and insider theft cause ~ 1/3, but they can be fixed. Any progress to report on the stupidity 1/3 ?

Posted by: GTexas | October 6, 2008 4:28 PM | Report abuse

A closer check of the data will show error...human error...is right up there as a primary reason for breaches...tech up all you want, but humans screw up...and credit monitoring misses more than half of the ID theft crimes...why do you think it is called identity theft (not credit theft)

Posted by: PsmithNY | October 6, 2008 5:52 PM | Report abuse

We are only told of a fraction of the data breaches. The vast majority are unreported as they are small from a relative perspective such as a mortgage lender that loses or sells a handful of files. How do I know this? I work for a company that deals with victims.

Anyone that does not have a "Total Identity Monitoring" program in place is burying their head in the sand. Many people, in our experience, are already victims prior to the breach from which they were notified. In our experience more than 2/3 of victims were non-credit related, such as illegal aliens using their names for employment. Therefore, anyone wanting to protect themselves needs to choose a solution that monitors more than credit bureaus and does more than a consumer can do for themselves for free with a few minutes effort such as fraud alerts.

Posted by: Bryan Ansley www.secureidentitysystems.com | October 6, 2008 6:10 PM | Report abuse

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of “IT Wars” - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book – BEFORE you suffer a breach.

Posted by: John Franks | October 7, 2008 8:43 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company