On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from 2007 to 2008 could be a result of an increase in data breach incidents, and most of the reporting on the ITRC’s report take this view, but it could also be due to increased media interest, new mandatory reporting laws, and a greater public interest in the issue. As in 2007, the ITRC relied on public reporting of breaches to compile its list, so the ITRC’s findings should be expected in increase as public reporting of data breach incidents increase.
The ITRC also reports that over 35.5 million personal and/or financial records are known to have been exposed in 2008. This number includes only those breaches where a public report indicated how many records were actually exposed, 402 of the 656 reported breaches including the 16 breaches where no records were actually exposed as they were encrypted or in some other way protected, and does not include any of the 254 breaches where an unknown number of records were exposed. So the actual number of exposed records is likely much higher, possibly in the range of 58 million records exposed (assuming that the breaches where the numbers are known are representative, and that the underlying math was done correctly).
Beyond the raw numbers, the trends in data breaches revealed by the ITRC report are also interesting. When we hear about personal information being stolen, security breaches, and identity theft, often our first impulse is to blame hackers and Internet criminals, strangers to an organization that seek to take advantage of flaws in firewalls, networks and computer systems to obtain valuable information. This assumption may be the result of the number of high profile breaches that have been traced to hackers, including:
- Heartland Payment Systems (100 million+ accounts, January 2009)
- TJX (45.6 million accounts, March 2007)
- CardSystems Solutions (40 million+ accounts, Late 2004)
- Data Processors International (8 million accounts, February 2003)
Of course, while hackers remain a threat, the ITRC Report suggests that businesses may face greater threats elsewhere.
The ITRC Reports statethat in 2008 only 91 breaches were the result of hacking, 13.9% of all known breach incidents, while 86.1% of incidents were due to accidental exposure, “data on the move,” insider theft, and subcontractor error as well as nearly 25% of all breaches that the ITRC has not categorized.
13.9% is not an insignificant number, and the fact that hacking accounted for a greater percentage of the 35.5 million records exposed, 19%, shows how important working to prevent this sort of breach can be. However, to focus on hacking exclusively, when worrying about data breaches, is to ignore the remaining 86.1% of security breaches. This series of posts will look at the trends in reported data breaches and discuss key incidents in each category and useful prevention strategies.
- The Identity Theft Resource Center website
- ITRC’s 2008 Report on Data Breaches is available here (.pdf) or from the ITRC’s website here (.pdf).
- Heartland Payment Systems and a nice microsite it developed for the 2008 breach
- TJX Companies