Data Breach Reports “Increased Dramatically” in 2008

The number of data breaches reported in 2008 “increased dramatically,” up 47% from 446 reported breaches in 2007, to 656 in 2008, according to a report by The Identity Theft Resource Center (ITRC).

At least 35.7 million private personal records were exposed in the reported breaches, the San Diego-based non-profit stated January 6. Yet, that doesn’t fully represent the problem’s extent. According to the ITRC, the number of records exposed was disclosed in only 41.9% of the reported breaches.

The ITRC examines the reported breaches.  Changes in breach disclosure laws have helped, yet there is no way of knowing how many breaches remain undisclosed each year.

Electronic breaches (82.3%) far outnumbered paper breaches (17.7%), the ITRC reported. It noted encryption or “strong protection methods” were employed in only 2.4% of all reported breaches, and password protection was seen in only 8.5% of reported breaches.

The ITRC sub-divides its breach monitoring into five categories:business, educational, government/military, health/medical and financial/credit. The 240 business breaches accounted for 36.6% of those reported in 2008, while schools came second providing 20 percent of reported incidents.

Human error was the cause in 35.2% of the cases in which an explanation was provided, while insider theft more than doubled between 2007 and 2008, and is now identified as a breach cause 15.7% of the time.

“This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” Linda Foley, ITRC’s co-founder told The Washington Post. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Amir Orad, chief marketing officer for fraud prevention company Actimize, agreed, telling the Post insider theft may be “the result of employees feeling the pinch from the recession.”

The ITRC’s recommendations based on its findings included:
•    Minimizing access among personnel to personal identifying information
•    Requiring encryption on all mobile data storage devices and of all data or back-up records sent from one location to another
•    Updating anti-virus, spyware and malware software at least once a week
•    Thoroughly training employees in safe information handling

Since consideration of breach statistics relies on accurate reporting of incidents, there continues to be concerns about the validity of incident analysis. “Making any sense of breach data continues to be like comparing apples, oranges, and Fruit Loops,” a Chronicles of Dissent blogger noted in considering the latest ITRC report.  However, this merely highlights the need for greater transparency and more stringent – and uniform – requirements for data breach notification.

And much is clearly gained from efforts such as this to keep track of the data breaches reported each year.  Not only does it provide consumers with a valuable reference, it serves as a wake-up call for organizations that handle sensitive personal information to take the threat of breaches seriously and make data security a major priority.


Two Arrested For Stealing, Selling Countrywide Customer Data

Perpetual Story: Stolen Data Leaves 2.2M At Risk

Stolen University of Miami’s Tapes Hold Patients’ Data

Massive Data Breach at Hannaford Results in Widespread Credit Fraud