2008 Reported Data Breaches Set New Record
"As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events."
The ITRC reports that the total number of breaches it tracked for the entire year of 2007 was 446. Even though 2008's numbers will overshadow the number of reported breaches of previous years, this does not necessarily mean, however, that there will in fact be more security breaches in 2008 than in other years. The ITRC's data often comes from secondary sources, such as media reports--ConsumerAffairs.com reports, "Linda Foley, ITRC Founder, attributes part of the growth of the ITRC's breach list to the ability to access state Attorney General notification lists that contain breaches that were not reported via media or other sources." As such, at least part of the growth comes from the increased number of reported breaches and not just the number of breaches themselves. However, Foley states that only three U.S. states currently publish breach notifications. In answer to the question if there are now really more breaches than every before, there isn't enough data to provide a definitive answer.
According to the latest published findings from the ITRC, the 2008 security breaches (with data up to 08/22/2008) can be broken down as follows:
- 36.8%: General Businesses
- 21.3%: Educational Institutions
- 17%: Government/Military Agencies
- 14.9%: Medical/Health Care Facilities/Companies
- 10%: Banking/Credit/Financial Services Entities
As of the ITRC's 08/22/2008 report, the documented 449 breaches represented a total of 22,091,338 individual exposed records. Of these reported breaches, six of the breaches exposed over 1 million records each:
- 4,504,690 Exposed records: BNY Mellon Shareowner Services (Banking/Credit/Financial), 02/27/2008: Backup tapes missing or stolen
- 4,200,000 Exposed records: Hannaford Bros Supermarket Chain (Business), 12/07/2007: Computer system breached, sensitive personal information stolen
- 2,200,000 Exposed records: University of Utah Hospitals (Medical/Healthcare), 06/02/2008: Backup tapes stolen
- 2,100,000 Exposed records: University of Miami (Educational), 03/17/2008: Backup tapes stolen
- 2,000,000 Exposed records: Countrywide (Banking/Credit/Financial), 04/04/2908: Employees stealing sensitive personal information
- 1,000,000 Exposed records: Compass Bank (Banking/Credit/Financial), 05/01/2007: Employee stealing sensitive personal information
(The two 2007 breaches are included with the 2008 data, because the information about these breaches only became pubic in 2008.)
The ITRC reports that security data breaches can happen in a number of ways:
- Lost or stolen laptops, computers or other computer storage devices
- Backup tapes lost in transit because they were not sent either electronically or with a human escort
- Hackers breaking into systems
- Employees stealing information or allowing access to information
- Information bought by a fake business
- Poor business practices- for example sending postcards with Social Security numbers on them
- Internal security failures
- Viruses, Trojan Horses and computer security loopholes
- Info tossed into dumpsters - improper disposition of information
The ITRC Website offers a number of resources for victims of identity theft, preventative measures, scam alerts, and an entire section on educating teens about identity theft.