UPDATE - 2/20/2014
In short, most of the changes are be due to inconsistency in naming conventions by other reporting entities and the media, differences in posting dates, and a few re-categorized breaches. The Advocate Medical Group breach had previously been omitted due to inconsistent data in the primary data fields. In other cases, the number of records have recently been updated to reflect a difference in the number of records exposed, i.e. the Target breach.
ALL NEW SUB-REPORTS ARE CURRENTLY BEING GENERATED AND WILL BE POSTED AS SOON AS POSSIBLE
(1/22/2014) – The Identity Theft Resource Center® recorded 619 breaches on the 2013 ITRC Breach List, a dramatic increase of 30% over the total number of breaches tracked in 2012. The healthcare sector accounted for 43% (267) of the total breaches on this list, overtaking the business sector at 33.9% (210) for the first time since 2005, when the ITRC first began tracking data breaches. This comes as no surprise to the ITRC, with more and more breaches being reported to the Department of Health and Human Services (HHS). Additionally, due to the mandatory reporting requirement for healthcare industry breaches affecting 500 or more individuals, 84% of these healthcare breaches publicly stated the number of records exposed. The fact that a sector with a large percentage of breaches, with most entities publicly reporting the number of records, stands out significantly when compared to the 40.9% of incidents in 2013 in which the number of records exposed is unknown (see Known vs. Unknown Totals).
“This is significant because it demonstrates that regulations in this area have a powerful impact. When you compare the number of reported data breach incidents in other industry sectors that do not report the raw number of records affected, to those in the medical field, you see a much smaller percentage. Public awareness of the full number of records impacted allows us a more accurate understanding of the scope of the problem,” said Eva Velasquez, ITRC President and CEO.
While many in the data breach space continue to look at the vast number of records compromised, the ITRC does not follow that trend for two reasons:
• Not all “records” are created equal. For the most part, passwords, user names and emails are not considered Personal Identifying Information (PII) and don’t trigger breach notification action. As such, the breach itself will be captured on the ITRC Breach list, but it will not include the number of “records” compromised.
It is, however, vitally important for consumers to be aware of these breaches so that they may be proactive in changing passwords after they have been compromised. While this type of information does not put you at risk for identity theft, per se, it is information used by identity thieves in social engineering tactics to gain further information.
• On average, 42% of the reported breaches over the past seven years have not included the number of records in either the breach notification letters to various state attorneys general or the public notice via media. Combine this with the fact that 32% of the breaches are reported with no known attributes, and it remains very difficult to determine what kind of information was compromised, let alone how many records.
The ITRC continues to recognize the fact that breaches have long been un-reported, or under-reported. Any efforts to accurately quantify the actual number of breaches, and resulting number of compromised records, are stymied in the absence of mandatory and uniform reporting requirements on a national level.
Since 2005, the ITRC has gathered data breach information involving 5 industry sectors: Business, Education, Government/Military, Medical/Healthcare, and Banking/Credit/Financial.
In 2007, extra categories were added to include five primary attributes (for method or type of breach): Insider/Employee Theft, Hacking, Data on the Move, Accidental Exposure, and Subcontractor/Third Party. In 2012, Employee Error/Negligence was added as an additional field.
2013 ITRC Breach Report Key Findings
• Hacking continues to secure the number one spot for the method or type of breach, representing more than one-quarter (25.8%) of the total recorded data breaches for 2013. This was followed by Subcontractor (third party involvement) at 14.4% and Data on the Move at 12.9%. Insider Theft was identified in 11.6% of the breaches, Employee Error/Negligence accounted for 9.2% followed by accidental exposure at 7.6%.
• Insider Theft soared 80% over 2012 figures, with 72 incidents falling into this category, compared to 40 recorded in 2012. Another drastic year-over-year change was seen in the number of breaches attributed to Employee Error/Negligence in 2013 (57), a jump of 72.7% over 2012 figures (33). Breaches falling into the category of Subcontractor/Third Party reflected a 67.9% increase over 2012, with 89 and 53 breaches respectively.
• 29.2% of the recorded breaches did not publicly disclose any kind of attributes clarifying the method or type of breach (see Unknown Attributes Summary) . Many breach notifications provided to the media or state attorney general's office, make it nearly impossible to identify the circumstances under which the breach occurred.
• 59.1% of publicly reported (U.S.) breaches indicated the number of records exposed; totaling 57,868,922 records (see Known vs. Unknown totals). Note: Records can be defined as Social Security numbers, credit cards, financial account numbers or other pieces of information such as driver’s license numbers or medical insurance numbers.
• 47% of the reported breaches on the 2013 ITRC Breach Report involved the exposure of Social Security numbers and 15.5% exposed credit or debit card information. These numbers represent year-over-year changes of a 28.1% growth in the number potentially exposing SSNs and a 41.2% hike in the number involving credit or debit card information.
• Paper breaches accounted for nearly 12% of the “known” breaches and typically go unnoticed until a consumer reports the problem to local media. Unfortunately, paper breaches do not trigger breach notifications in most states, so consumers are not alerted to the fact that their personal identifying information has been exposed.
The recent Target breach has only made it more evident that consumers need to be made aware of how to respond to a breach notification. The public needs to further understand the “risk of harm” which is associated with various types of personal information - whether it is a user name, password, a Social Security number or financial account information.
“The recent data breach reported by Target has resulted in more than just consumer resentment. Consumers are now starting to discuss and ask questions about this important issue. Data breach reporting requirements need to be standardized, mandatory, and also inclusive of paper breaches as a reporting trigger,” added Velasquez. “California expanding its Data Breach Notification requirements to include certain types of online credentialing and authentication information is a step in the right direction as we conduct more business and other activities on line."
The ITRC mission is to help broaden consumer education on this topic in order to address concerns and to help mitigate cases of identity theft should they arise as a result of any given breach.