ITRC 2013 Breach List Tops 600 in 2013
UPDATED - 2/5/2015
NOTE: The difference between 619 and 614 was due to a number of reasons: inconsistency in naming conventions used by media and breached entities (i.e. dba's); differences in posting dates (between media, breach notification letters, and HHS.gov); and a few re-categorized breaches which brought to light some duplication. It is also a fact that many of the breaches posted on the 2014 ITRC Breach List, actually occurred late in 2013 or earlier. Regarding the number of records, several of the breach incidents were updated to reflect a difference in the number of records exposed, i.e. the Target breach. Also, in the Healthcare Sector, the Advocacy Medical Group breach had previously been omitted due to an error in a data base field.
The Identity Theft Resource Center® recorded 6141 breaches on the 2013 ITRC Breach List, a dramatic increase of 30% over the total number of breaches tracked in 2012. The Healthcare sector accounted for 44.1% (271) of the total breaches on this list, overtaking the business sector at 31.8% (195). This comes as no surprise to the ITRC, with more and more breaches being reported to the Department of Health and Human Services (HHS). Additionally, due to the mandatory reporting requirement for healthcare industry breaches affecting 500 or more individuals, 87% of these healthcare breaches publicly stated the number of records exposed. The fact that a sector with a large percentage of breaches, with most entities publicly reporting the number of records, stands out significantly when compared to the 39.6% of incidents in 2013 in which the number of records exposed is unknown.
“This is significant because it demonstrates that regulations in this area have a powerful impact. When you compare the number of reported data breach incidents in other industry sectors that do not report the raw number of records affected, to those in the medical field, you see a much smaller percentage. Public awareness of the full number of records impacted allows us a more accurate understanding of the scope of the problem,” said Eva Velasquez, ITRC President and CEO.
While many in the data breach space continue to look at the vast number of records compromised, the ITRC does not follow that trend for two reasons:
• Not all “records” are created equal. For the most part, passwords, user names and emails are not considered Personal Identifying Information (PII) and don’t trigger breach notification action. As such, the breach itself will be captured on the ITRC Breach list, but it will not include the number of “records” compromised.
It is, however, vitally important for consumers to be aware of these breaches so that they may be proactive in changing passwords after they have been compromised. While this type of information does not put you at risk for identity theft, per se, it is information used by identity thieves in social engineering tactics to gain further information.
• On average, 42% of the reported breaches over the past seven years have not included the number of records in either the breach notification letters to various state attorneys general or the public notice via media. Combine this with the fact that 28.7% of the breaches in 2013 were reported with no known attributes, and it remains very difficult to determine what kind of information was compromised, let alone how many records.
The ITRC continues to recognize the fact that breaches have long been un-reported, or under-reported. Any efforts to accurately quantify the actual number of breaches, and resulting number of compromised records, are stymied in the absence of mandatory and uniform reporting requirements on a national level.
Since 2005, the ITRC has gathered data breach information involving 5 industry sectors: Business, Education, Government/Military, Medical/Healthcare, and Banking/Credit/Financial.
2013 ITRC Breach Report Key Findings
• Hacking continues to secure the number one spot for the method or type of breach, representing more than one-quarter of the total recorded data breaches for 2013. This was followed by Subcontractor (third party involvement) at 14.5% and Data on the Move at 12.9%. Insider Theft was identified in 11.7% of the breaches, Employee Error/Negligence accounted for 9.4% followed by accidental exposure at 7.5%.
• Insider Theft soared 80% over 2012 figures, with 72 incidents falling into this category, compared to 40 recorded in 2012. Another drastic year-over-year change was seen in the number of breaches attributed to Employee Error/Negligence in 2013 (58), a jump of 70.6% over 2012 figures (34). Breaches falling into the category of Subcontractor/Third Party reflected a 64.8% increase over 2012, with 89 and 54 breaches respectively.
• 28.7% of the recorded breaches did not publicly disclose any kind of attributes clarifying the method or type of breach. Many breach notifications provided to the media or state attorney general's office, make it nearly impossible to identify the circumstances under which the breach occurred.
• 48% of the reported breaches on the 2013 ITRC Breach Report involved the exposure of Social Security numbers and 15.6% exposed credit or debit card information. In raw numbers, there were 295 breaches exposing SSNs, an increase of 30.5% over 2012. Year-over-year, the number of breaches involving credit or debit cards in 2013 (96) jumped 41.2 percent over 2012 (68).
• Paper breaches accounted for nearly 12% of the “known” breaches and typically go unnoticed until a consumer reports the problem to local media. Unfortunately, paper breaches do not trigger breach notifications in most states, so consumers are not alerted to the fact that their personal identifying information has been exposed.
The recent Target breach has only made it more evident that consumers need to be made aware of how to respond to a breach notification. The public needs to further understand the “risk of harm” which is associated with various types of personal information - whether it is a user name, password, a Social Security number or financial account information.
“The recent data breach reported by Target has resulted in more than just consumer resentment. Consumers are now starting to discuss and ask questions about this important issue. Data breach reporting requirements need to be standardized, mandatory, and also inclusive of paper breaches as a reporting trigger,” added Velasquez. “California expanding its Data Breach Notification requirements to include certain types of online credentialing and authentication information is a step in the right direction as we conduct more business and other activities on line."
The ITRC mission is to help broaden consumer education on this topic in order to address concerns and to help mitigate cases of identity theft should they arise as a result of any given breach.
(1) initially reported as 619