14 DAY TRIAL // The Identity Theft Resource Center (ITRC), a nonprofit organization that tracks data breaches in U.S., reported 516 incidents that resulted in a total of over 30 million personal records being compromised so far in 2008, out of which 97.5% were electronically stored.
The ITRC gathers the reports from various media sources, several notification lists and state agencies. They are also working to confirm the breaches with several other specialized groups and websites. All the incidents that got included in the report resulted in loss of personal identifying information such as Social Security numbers, drivers' license numbers, banking details, basically information that could favor identity theft.
The report defines five categories, banking/credit/financial, business, educational, government/military and medical/healthcare, based on the sectors where the incidents occurred. Incidents originating in the financial sector amount for almost 57% of the lost records, while the biggest number of incidents, 188 (36.4%), was recorded in the Business sector. This suggests that financial institutions in particular, which usually handle a lot of personal information, should adopt more solid security policies.
The report also sorts the incidents based on the breach type. According to the statistics, 47% of the records were lost while being moved in 95 incidents, while 36% were lost by subcontracted companies. In addition, almost 22% of the records were compromised as a result of hacking activities and 18% were stolen by employees. A surprise is the low percentage (3%) of records that were accidentally exposed.
Another classification concerns the protection level of the compromised data. This proves again the lack of data encrypting practices inside organizations, the information being protected in this way in only 1.1% of the incidents. In almost 10% of the cases, the data was password protected, while in 88% of the incidents, the lost personal details were unprotected and they amount for the vast majority (92%) of the total number of compromised records.
The report analyzed only data gathered in the first eight months of 2008 and the total number of incidents already exceeded the one registered for the entire year in 2007 (446). This could also be caused by the fact that many states have since introduced laws that require both public and private organizations to report such cases.
Even though in 2007 the number of compromised records was a lot bigger, 127 million, it is notable that in more than 40% of the breach events included in the 2008 report, such information was partially or completely unavailable. Because of this, ITRC advises that “the number of affected records is grossly incomplete and unusable for any statistic or research purpose.”