ITRC 2008 Breach List

Posted in: ITRC Surveys & Studies, Identity Theft News
By Identity Theft Resource Center
Dec 2, 2008 - 9:48:48 AM
Digg this story!

Printer friendly page

SECURITY BREACHES
Updated 12/2/2008

Information management is critically important to all of us - as employees and consumers.  For that reason, the Identity Theft Resource Center has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities.

 2008 Figures
 The total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008.   As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449.   The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events.   In the last few months, two subcontractors became examples of these “multiple” events.   In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event.

 ITRC recognizes that 449 breaches in less than a year is a small number when compared to the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 449 data exposure events are still too many.   It should be noted that the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work.

 It should be noted that the ITRC does not place an inordinate weight on the count of records exposed.   While the ITRC breach list reflects compromised records of more than 22 million, in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose.   The use of potentially affected records generally causes more concern and is ‘news-sexy’.

 The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies.   ITRC uses several websites to help search for verifiable breaches, such as pogowasright.org, phiprivacy.net, The Breach Blog and attrition.org.   To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.

 Click here for the 2008 ITRC Breach report.   Click here for the 2008 ITRC Breach Stats Report broken down by categories which includes the percentages for each category (business, financial/credit, educational, governmental/military and health care).  Please check regularly as this list is updated weekly.

There are a number of new ITRC reports available, further detailing categorical breach information.

 Click on the following links for 2008 reports (Year to Date):
 Known vs Unknown
Paper vs Electronic Summary
Paper vs Electronic w Category Summary
Accidental Exposure
Data on the Move
Hacking
Insider Theft
Subcontractor

 Click on the following links for 2007 reports:
 Accidental Exposure
Data on the Move
Hacking
Insider Theft
Subcontractor

 2007 Figures
In 2007, ITRC documented 446 paper and electronic breaches, potentially affecting more than 127 million records. This is a significant increase from 2006 which listed in excess of 315 publicized breaches affecting nearly 20 million individuals. In 2005 there were 158 incidents affecting more than 64.8 million people.

Based on ITRC’s categorization, the 2007 breaches break down as follows: 24.5% government/military agencies, 24.7% from educational institutions, 29.3% from general businesses, 14.5% from health care facilities / companies, and 7% from banking / credit / financial services entities.

 Click here for 2007 ITRC Breach Report. Click here for the 2007 ITRC Breach Stats Report broken down by categories.

 Click here for the final 2006 ITRC Breach List. Click here for the 2005 ITRC Breach List.


Question:  Are there other website with articles about breaches?
 Yes- two that we recommend are http://attrition.org/dataloss/   and http://www.pogowasright.org/index.php?topic=Breaches

Both of these sites have stored articles that are well documented.  They also include paper breaches and breaches from other countries which ITRC does not include on its list.

 Question:   What criteria is used when assessing a publicized breach? ( Click here)

 Question: Are there more security breaches now than ever before?
This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. Our sense is that two things are happening - the criminal population is stealing more data from companies AND that we are hearing more about the breaches. ITRC has been tracking breaches since 2001. One thing we absolutely can say is that this is NOT a new problem.

 Question: Are all breaches alike?
No - security breaches can be broken down into a number of categories. What they have in common is that they contained personal identifying information in a format easily read by thieves, in other words, not encrypted.

  • Lost or stolen laptops, computers or other computer storage devices
  • Backup tapes lost in transit because they were not sent either electronically or with a human escort Hackers breaking into systems
  • Employees stealing information or allowing access to information
  • Information bought by a fake business
  • Poor business practices- for example sending postcards with Social Security numbers on them
  • Internal security failures
  • Viruses, Trojan Horses and computer security loopholes
  • Info tossed into dumpsters - improper disposition of information

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Question: What can I do if I am a victim of a breach?
That depends - if your Social Security number has been compromised you need to place a fraud alert on your credit reports immediately and order your free victim of id theft credit reports. However keep in mind that not all thieves use the information immediately so check your report again in about 3 months. You can use your free annual credit report to do this- 877-322-8228. We suggest you stagger your orders so you can see at least one report every four months.

 If a financial account or credit card is affected, close that account (and only the affected account/card). Ask the company to mark it- closed due to security breach and by consumer request.

 If you are not sure your account was affected, monitor your bank and credit card billing statements carefully, looking for small charges you didn't make. It is not uncommon for a thief to try to make a $5-20 purchase to see if the card is still open. They don't all make large charges that you would notice immediately. Remember to contact any company that automatically deducts a payment from a credit card you might have to close.

 The worst thing you can do is to overreact.

 For more information on breaches and what to do, please read ITRC’s Fact Sheet 129  
Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.