Breaches Blast ’07 Record

August 26, 2008

The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event.

ITRC recognizes that 449 breaches in less than a year is a small number when compared to the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 449 data exposure events are still too many. It should be noted that the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work.

Linda Foley, ITRC Founder, attributes part of the growth to the ITRC’s breach list to the ability to access state Attorney General notification lists which contain breaches that were not reported via media or other sources. “If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern. At this time, only three states publish such information. Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected.”

“The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken,” said Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc. “A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight.”

In the last few weeks, the US Secret Service announced the investigation of a cybercrime group that may have hacked tens of thousands of credit and debit card accounts from Louisiana and Mississippi restaurants this year, allegedly leading to over $1 million in losses for the banks that issued them.

Also, on August 5, 2008 the US Attorney General’s office announced the indictments of 11 defendants who tapped the computer networks of TJX Cos.' Marshalls, BJ's Wholesale Club Inc., Barnes & Noble Inc. bookstores, Sports Authority, Boston Market Corp., OfficeMax Inc., Dave & Buster's restaurants, DSW Inc. shoe stores and Forever 21.

“These two cases highlight our increasing vulnerability to the theft of personal information. Unsecured networks are a friendly target for such groups. Additionally insider theft, data on the move and inadvertent posting of personal information to websites add to the problem. Breaches are not simply the result of malicious attacks but also of human error and poor information handling procedures,” stated Rex Davis, ITRC’s Director of Operations.

“It is critical that law enforcement, governmental agencies, businesses, consumers and legislators understand the causes of breaches. With this in mind, the ITRC has continued to create new database tools to better analyze breach information. When we understand how data is exposed or stolen, we can avert many breaches because of improved security procedures and safer information handling,” explained Jay Foley, ITRC Executive Director.

It should be noted that the ITRC does not place an inordinate weight on the count of records exposed. While the ITRC breach list reflects compromised records of more than 22 million, in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.