Breach List Criteria
The following criteria have been used by the Identity Theft Resource Center in the formulation and development of its breach list.
Criteria for personal identifying information: Any name or number that may be used, alone or in conjunction with other information, to identify a specific individual including:
-
Name, Social Security number, date of birth. Banking or financial account number, credit card or debit card number with or without PIN, official State or government issued driver’s license or identification number, passport identification number, alien registration number, employer or taxpayer identification number, or insurance policy or subscriber numbers
-
unique biometric data
-
electronic identification number, address or routing code or telecommunication identifying information or device
The list does NOT include occurrences when just a name, phone number and address (home or email) are exposed.
A breach may be the loss or theft of paper or electronic data
Determination of location:
-
If the breach happens in one location, and affects primarily people in that state only, that is the state listed
-
If the breach happens in one location but ITRC is unable to determine if people in more than one location are affected, the state in which the event occurred is the state listed
-
If the affected population is clearly national in nature (i.e. multiple retail stores in a number of states) then it will be reported as US
Dates:
-
The date used as the main sorting field is the publication date of the first confirmed news article about the breach or the date shown on notification letter to a State Attorney General about the breach.
NOTE: Therefore, breaches are not always reported or published in the year they occur. This is consistent with how the ITRC has tracked breaches since 2005.
Categories:
- Published: The total number of records is reported
- Unknown: The total number of records is not known or disclosed
- Password Protected Published: Can be a password on a computer or on a file or both
- Password protected unknown: The total number of records is not reported but the file or computer was password protected
- Encryption: Uses specific software that encrypts data
- Other: Truncation, uses a special computer equipment, systems/mainframe that are not easily compromised, or uses a combination of truncation and encryption, etc
- Data on the Move: Laptops, portable storage devices stolen or lost when NOT in a secured office setting
-
Insider Theft: An employee or former employee steals info and had access to the information due to his or her employment with that company