Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.
The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.
What is a breach? A breach is defined as an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.
There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:
- Data on the Move
- Accidental Exposure
- Insider Theft
Click here for the 2013 ITRC Breach Reports
Click here for the 2012 ITRC Breach Reports
Click here for the 2011 ITRC Breach Report (PDF):
Click here for the 2011 ITRC Breach Stats Report (PDF):
Click here for 2011 synopsis and reports
Click here for 2010 synopsis and reports
Click here for 2009 synopsis and reports
Click here for 2008 synopsis and reports
Click here for 2007 synopsis and reports
Click here for 2006 synopsis and reports
Click here for 2005 synopsis and reports
Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.
We include in each reported data breach item a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.
When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.
As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.
Other websites and resources for data breaches include:
| TOP |