The number of data breaches hit a record high in 2007, but it appears this year will be significantly more dangerous, when it comes to potential identity theft. More than four months before the end of 2008, the total number of breaches on the Identity Theft Resource Center's (ITRC) breach list has surpassed the final total of 446 reported in 2007.
As of 10 am on August 22, the number of confirmed data breaches stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events, the group said.
In the last few months, two subcontractors became examples of these "multiple" events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event.
ITRC says it recognizes that 446 breaches in less than a year is a small number when compared with the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 446 data exposure events are still too many.
It should be noted that the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work.
Linda Foley, ITRC Founder, attributes part of the growth of the ITRC's breach list to the ability to access state Attorney General notification lists that contain breaches that were not reported via media or other sources.
"If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern," Foley said. "At this time, only three states publish such information. Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected."
"The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken," according to Avivah Litan, vice president and distinguished analyst at Gartner Inc. "A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight."
In the last few weeks, the US Secret Service announced the investigation of a cybercrime group that may have hacked tens of thousands of credit and debit card accounts from Louisiana and Mississippi restaurants this year, allegedly leading to over $1 million in losses for the banks that issued them.
Also, on August 5, 2008 the U.S. Attorney General's office announced the indictments of 11 defendants who tapped the computer networks of TJX Cos.' Marshalls, BJ's Wholesale Club Inc., Barnes & Noble Inc. bookstores, Sports Authority, Boston Market Corp., OfficeMax Inc., Dave & Buster's restaurants, DSW Inc. shoe stores and Forever 21.
"These two cases highlight our increasing vulnerability to the theft of personal information. Unsecured networks are a friendly target for such groups. Additionally insider theft, data on the move and inadvertent posting of personal information to websites add to the problem. Breaches are not simply the affect of malicious attacks but also of human error and poor information handling procedures," said Rex Davis, ITRC's Director of Operations.
"It is critical that law enforcement, governmental agencies, businesses, consumers and legislators understand the causes of breaches. With this in mind, the ITRC has continued to create new database tools to better analyze breach information. When we understand how data is exposed or stolen, we can avert many breaches because of improved security procedures and safe information handling," explained Jay Foley, ITRC Executive Director.
It should be noted that the ITRC does not place an inordinate weight on the count of records exposed. While the ITRC breach list reflects compromised records of more than 22 million, in almost 40 percent of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is 'news-sexy'.
The ITRC breach list is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as Pogowasright.org, Phiprivacy.net, and Attrition.com. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.