Security Breaches 2008
Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.
In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.
According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies. It is important to note that the number of breaches reported does not reflect the number of companies affected.
The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as www.databreaches.net (aka Pogowasright), privacy.net, and www.datalossdb.org. To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.
Below is the 2008 Breach Report, and related reports. Also note the 2008 Breach Stats Report, which includes the percentages for each entity category (business, financial/credit, educational, governmental/military and health care).
There are a number of new ITRC reports available, further detailing categorical breach information.