At least 8.3 million personal and financial records of consumers were potentially compromised by data spills or breaches at businesses, universities and government agencies in the first quarter of 2008, according to statistics released today.
The San Diego based Identity Theft Resource Center said it tracked public reports of 167 data breaches in the first three months of this year. The center recorded 448 data breaches total in 2007. A detailed breakdown of the incidents in 1Q of 2008 is available here (PDF) and the overall 2007 statistics can be downloaded here (PDF).
Roughly 4.2 million of the breached records were the result of digital intrusions at the Hannaford Bros. supermarket chain disclosed last month.
Overall, businesses were responsible for roughly 36 percent of the data breaches or spills, followed by schools and universities (25 percent), government and military (18 percent), medical/health care (14 percent) and banking and financial (7 percent). More details on the industry breakdown are available here (PDF).
While the center doesn't break its numbers down by data loss type, a review of the data from the first quarter of the year suggests that only about 13 percent of the breaches were the result of an outside hacker gaining unauthorized access to consumer records over the Internet.
According to a tally by Security Fix, 21 hacking incidents in the first three months of this year compromised at least 4,624,005 personal and financial records (again, the Hannaford breach accounts for the majority of those compromised records).
Most of the data spills in 1Q 2008 appear to have resulted from lost or stolen laptops, hard drives or thumb drives. Insider access and the inadvertent posting of sensitive data to a Web site or through e-mail also were cited frequently throughout the report.
A few caveats about the number of breached records are in order. First, in 66 of the 167 data breaches detailed in this report - 40 percent of the cases -- the organizations involved have not disclosed how many records might have been compromised. Nor do the affected organizations which have disclosed that data typically say how many individual consumers were affected.
For example, Okemo Mountain Ski Resort reported late last month that a hacker break-in compromised more than 28,000 credit card transactions, but it's not obvious from that data how many unique cards were affected.
The number of cases in which organizations report or acknowledge a data breach but offer no estimates of the number of victims appears to be increasing (although, I should note here that the ID Theft Resource Center's data is based largely on media reports about the incidents).
In all of 2007, affected organizations didn't say how many records were potentially affected in 138 of the 446 recorded breaches, or in roughly 31 percent of the cases.
Linda Foley, the ID Theft Resource Center's founder, said it's unclear what's behind the increase in data loss reports this year, whether it's a greater number of states with laws mandating data breach disclosures, a larger number of breaches or a combination of the two.
Nationwide, 39 states and the District of Columbia have laws on the books requiring organizations to notify consumers of a data breach that jeopardizes their personal and/or financial data.
"The question of why we are hearing more about data breaches is going to take us a couple of more years to sort out," Foley said. "I think, perhaps in addition to the state [disclosure laws], companies are urged on a bit by the fear of the media taking the story and releasing it rather than the companies themselves getting a chance to the spin the news."
Reference: blog.washingtonpost.com
(USPublicRecords.com) and (IDTheftDefense.com) and (BackgroundCheckDirectory.com)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment