Report: Data Breaches Expose About 30M Records in '08

 

U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.

 

The Identity Theft Resource Center, of San Diego, found that this year's data breach tally has easily eclipsed 2007's 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008.

 

About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center 's 2008 Breach List (PDF).

 

Some 30 million records on consumers have been exposed so far this year. But experts say that figure almost certainly masks a much larger problem, as there is currently no federal requirement for organizations that experience a data breach or loss to acknowledge precisely how many consumers nationwide may have been affected.

 

Resource center founder Linda Foley said it's not clear whether there are more breaches, if organizations are getting better at detecting them or if more organizations are simply complying with state data breach notification laws.

 

At least 40 states now require entities to alert consumers in their states when a data breach has placed residents' personal and financial data at risk of exposure. Yet, in nearly 42 percent of the breaches reported this year, affected entities have not divulged the total number of Americans potentially at risk from the incidents, Foley said.

 

Consider the breaches that the Identity Theft Resource Center tallied last year: In 2007, 446 incidents exposed more than 127 million consumer records. Yet in 40 percent of those cases, the entities that experienced the breach did not say how many records were affected nationwide. A single omission can skew the numbers dramatically. Nearly three-quarters of those 127 million records were attributable to a single data breach: that of TJX Inc., which operates T.J. Maxx stores, among others.

 

What's more, the resource center counts breaches by contractors as a single incident, even when the breach affects a large number of the contractor's clients. For example, Bank of New York Mellon in February said it had lost backup tapes containing names, addresses, birth dates and Social Security numbers on roughly 4.5 million Americans. Following an investigation by Connecticut authorities, the bank acknowledged that as many as 12.5 million records may have been lost. Since the institution administers investment plans for a number of companies, even people who had no direct relationship with the bank received notices from the institution that their personal data was compromised.

 

"We get calls all the time from people who receive a breach notice from a company they've never done business with directly," Foley said. "Companies that collect information on behalf of other organizations need to take extreme security measures because they have a lot more information at stake."

 

More than 36 percent of the breaches so far this year have been at U.S. businesses, while educational institutions were the second most frequent source of incidents (21 percent). Breaches attributed to the military or state and federal government declined for the third year running, down from a quarter of all breaches last year to just 16 percent in 2008.

 

Organizations reported that hacking (13.4 percent) and insider theft (16.5 percent) were the cause of nearly one-third of all breaches this year. Lost or stolen laptops and other digital media storage accounted for 20 percent of breaches, with another 14 percent blamed on accidental exposure, such as the posting of Social Security numbers and other data to a public Web site.