Identity Theft Resource Center Breach Report Hits Near Record High in 2015
January 25, 2016 – The number of U.S. data breaches tracked in 2015 totaled 781, according to a recent report released by the Identity Theft Resource Center (ITRC) and sponsored by IDT911™. This represents the second highest year on record since the ITRC began tracking breaches in 2005. (See multi-year spreadsheet)
For the first time since 2011 the business sector again topped the ITRC 2015 Breach List with nearly 40 percent of the breaches publicly reported in 2015, an increase of 8.1 percent from 2014 figures. In second place was the Health/Medical sector with 35.5 percent of the total overall breaches, a drop of 8.6 percent from a record high of 44.1 percent in 2014. The Banking/Credit/Financial sector ranked third with 9.1 percent of the breaches with nearly double the number of breaches reported in 2014, 71 and 38 respectively. This marks the first time that this industry has ranked in the top three. In fourth place was Government/Military with 8.1 percent followed by the Education sector with 7.4 percent.
“With ongoing support from IDT911,the ITRC continually tracks and monitors the ever growing number of U.S. breaches in an effort to understand the complex issues behind them," said Eva Velasquez, President and CEO, ITRC.
“While the overwhelmingly prevalent motive for data breaches remains financial gain for the thieves, we saw a shift in new motives for obtaining sensitive and private personal data this year. This compromised data can now be used to compel behavior changes in breached individuals and groups. This data is also being used for social justice purposes, and even to embarrass our nation. As the motives for obtaining this data shift, so must our mindset about what we need to keep private, protect, and potentially cease capturing or creating,” Velasquez continued.
The ITRC maintains an extensive database capturing and categorizing U.S. data breaches into five industry sectors with a number of other attributes such as how information was compromised and type of data.
“These numbers are by no means the whole story, as breaches have become the third certainty in life. Since 2005, ITRC has tracked 5,810 reported breaches. Many continue to fly under the radar because many businesses aim to avoid the financial dislocation, liability, and loss of goodwill that comes with disclosure and notification,” said Adam Levin, Chairman and Founder of IDT911. “It is safe to assume that the actual number of breaches is much higher than what is reported.”
In 2015, Hacking incidents reached a nine-year high of 37.9 percent, a jump of 8.4 percent over 2014 figures. This was followed by the Employee Error/Negligence category at 14.9 percent, more than double the 7.2 percent first reported in 2012.
Accidental Email/Internet Exposure was the third most common source of compromised data at 13.7 percent followed by Insider Theft (10.6 percent), Physical Theft (10.5 percent) and Subcontractor/3rd party (9.0 percent). Data on the Move came in last with 7.3 percent, down from a record high of 27.6 percent in 2007.
The ITRC continues to track paper breaches even though these types of breaches seldom trigger state breach notification laws. This type of occurrence has dropped considerably since the high of 25.9 percent recorded in 2009, with 12.4 percent of the breaches reported in 2015 as paper.
Of note, the reporting of records (Known vs Unknown) spiked again in 2015 with more than half of the reported breaches failing to include this information.
The number of breaches involving Social Security numbers totaled 338 in 2015, a modest increase of 1.8 percent over the 325 reported in 2014. Those breaches, however, involved more than 164.4 million records. This is in stark contrast to the 160 breaches in 2015 involving debit/credit cards which exposed less than 800,000 records. These numbers, captured from information made publicly available throughout the year, compares drastically to the 138 breaches tracked in 2014 which involved more than 64.4 million debit/credit cards.
“We recognized 2014 as the year of the credit card breach; 2015 must be similarly recognized but as the year of the Social Security Number breach. The concerning trend here is that remediation of a compromised SSN remains a more arduous task for victims when compared to remediation of an individual credit card number,” said Velasquez. “The opportunities for thieves who possess Social Security Numbers are significantly greater and pose more consumer risk, not to mention more difficulty for the individual consumer when it comes to deployment of risk minimization techniques,” Velasquez added.
“I am convinced that 2016 will see more massive public and private sector takedowns, hacks, and exposure of sensitive personal information like we have witnessed in years past,” said Levin. “I wouldn’t be surprised if a major political party, PAC or presidential campaign suffers a major compromise. Malvertising and ransomware attacks will reach a fever pitch. Medical data and business information like intellectual property will be prime targets, with cyber thieves looking for opportunistic financial gain based on black market value, corporate extortion and cyber terrorism.”
For 11 years, the ITRC has been committed to dedicating resources to providing the most accurate review and analysis of U.S. data breach incidents. This has long involved adding new categories and updating methodologies to best capture patterns and any new trends.
About the ITRC Breach List
The ITRC Breach List is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, driver’s license numbers and medical information. This data breach information, and available statistics, have become a valuable resource for media, businesses and consumers looking to become more informed on the need for best practices, privacy and security measures in all areas – both personal and professional.
About the ITRC
Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization which provides victim assistance and consumer education through its toll-free call center, website and highly visible social media efforts. It is the mission of the ITRC to: provide best-in-class victim assistance at no charge to consumers throughout the United States; educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation; and, serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams, and other issues. Visit http://www.idtheftcenter.org. Victims may contact the ITRC at 888-400-5530.
IDT911™ is the leading provider of services that help businesses and their customers defend against data breaches and identity theft. IDT911’s unique approach—delivering proactive protection, preventive education, and swift resolution—offers unrivaled support for more than 660 client partners and 17.5 million households. With its wholly owned subsidiary, IDT911 Consulting™, IDT911 delivers information security and data privacy expertise to help businesses avert and respond to data loss. Based in Scottsdale, Ariz., the company has several locations in the U.S. and Canada, as well as in Ireland to serve partners in Europe.
ITRC Breach Reports - 2015 Year End Totals
ITRC would like to thank IDT911 for its financial support of the ITRC Report, ITRC Breach Stats Report and all supplemental breach reports.