ITRC Surveys & Studies, Identity Theft News

CALL 704-542-4514

Industry News Feeds

Automated Shredding is NAID certified. (The National Association for Information Destruction)

ITRC Surveys & Studies, Identity Theft News

ITRC 2008 Breach List

Posted in: ITRC Surveys & Studies , Identity Theft News
By Identity Theft Resource Center
Feb 17, 2009 - 9:48:48 AM
Digg this story!
Email this article
Printer friendly page
SECURITY BREACHES
Updated 2/17/2009
Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities.

Click here for the 2009 ITRC Breach Report

Click here for the 2009 ITRC Breach Stats Report

2008 Figures
Reports of data breaches increased dramatically in 2008.   The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.

In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors.   The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years.   The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection.   It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.

The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking.   Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies.   It is important to note that the number of breaches reported does not reflect the number of companies affected.

The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies.   ITRC uses several websites to help search for verifiable breaches, such as databreaches.net, privacy.net, and www.datalossdb.org .   To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.

Below is the 2008 Breach Report, and related reports. Also note the 2008 Breach Stats Report, which includes the percentages for each entity category (business, financial/credit, educational, governmental/military and health care).

There are a number of new ITRC reports available, further detailing categorical breach information.

Click on the following links for 2008 Year End Reports:
ITRC Breach Report 2008 Final
ITRC Breach Stats Report 2008 Final
Known vs Unknown
Paper vs Electronic Summary
Paper vs Electronic w Category Summary
Accidental Exposure
Data on the Move
Hacking
Insider Theft
Subcontractor

Click on the following links for 2007 reports:
Accidental Exposure
Data on the Move
Hacking
Insider Theft
Subcontractor

2007 Figures
In 2007, ITRC documented 446 paper and electronic breaches, potentially affecting more than 127 million records. This is a significant increase from 2006 which listed in excess of 315 publicized breaches affecting nearly 20 million individuals. In 2005 there were 158 incidents affecting more than 64.8 million people.

Based on ITRC’s categorization, the 2007 breaches break down as follows: 24.5% government/military agencies, 24.7% from educational institutions, 29.3% from general businesses, 14.5% from health care facilities / companies, and 7% from banking / credit / financial services entities.

Click here for 2007 ITRC Breach Report . Click here for the 2007 ITRC Breach Stats Report broken down by categories.

Click here for the final 2006 ITRC Breach List . Click here for the 2005 ITRC Breach List .

Question: Are there other website with articles about breaches?
Yes, databreaches.net, privacy.net, and www.datalossdb.org .

Question:   What criteria is used when assessing a publicized breach? ( Click here )

Question: Are there more security breaches now than ever before?
This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. Our sense is that two things are happening - the criminal population is stealing more data from companies AND that we are hearing more about the breaches. ITRC has been tracking breaches since 2001. One thing we absolutely can say is that this is NOT a new problem.

Question: Are all breaches alike?
No - security breaches can be broken down into a number of categories. What they have in common is that they usually contained personal identifying information in a format easily read by thieves, in other words, not encrypted.
Lost or stolen laptops, computers or other computer storage devices
Backup tapes lost in transit because they were not sent either electronically nor with a qualified human escort
Hackers breaking into systems
Employees stealing information or allowing access to information
Information bought by a fake business
Poor business practices - for example sending postcards with Social Security numbers on them
Internal security failures
Viruses, Trojan Horses and computer security loopholes
Information tossed into dumpsters - improper disposition of information

Question: What can I do if I am a victim of a breach?
That depends - if your Social Security number has been compromised you need to place a fraud alert on your credit reports immediately and order your free victim of id theft credit reports. However keep in mind that not all thieves use the information immediately so check your report again in about 3 months. You can use your free annual credit report to do this- 877-322-8228. We suggest you stagger your orders so you can see at least one report every four months.

If a financial account or credit card is affected, close that account (and only the affected account/card). Ask the company to mark it- closed due to security breach and by consumer request.

If you are not sure your account was affected, monitor your bank and credit card billing statements carefully, looking for small charges you didn't make. It is not uncommon for a thief to try to make a $5-20 purchase to see if the card is still open. They don't all make large charges that you would notice immediately. Remember to contact any company that automatically deducts a payment from a credit card you might have to close.

The worst thing you can do is to overreact.

For more information on breaches and what to do, please read ITRC’s Fact Sheet 129