2008 Data Breach Total Soars
ITRC Reports 47% Increase over 2007
2008 - # of Breaches
In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest. As the chart indicates, the business community still needs to enhance and enforce data security measures.
2008 - # of Breaches
According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies. It is important to note that the number of breaches reported does not reflect the number of companies affected.
Data on the Move
Sadly, these trends continue to plague companies and government alike, despite education on safer information handling, new laws and regulations. Mal-attacks, hacking and insider theft, account for 29.6% of those breaches that reported the causal factor. Insider theft, now at 15.7%, has more than doubled between 2007 and 2008. On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2% of those breaches that indicate cause.
Electronic breaches (82.3%) continue to outnumber paper breaches (17.7%). While there were 35.7 million records potentially breaches according to the notification letters and information provided by breached entities, 41.9% went unreported or undisclosed making the total number of affected records an unreliable number to use for any accurate reporting.
Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:
- Minimize personal with access to personal identifying information.
- Require all mobile data storage devices that contain identifying information encrypt sensitive data.
- Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport.
- When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper.
- Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed.
- Verify that your server and/or any PC with sensitive information is secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates.
- Train employees on safe information handling until it becomes second nature.
About the ITRC
The Identity Theft Resource Center® (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Additionally, ITRC has a complete breach response program to help businesses prepare for a breach, or respond to a data exposure event. Visit www.idtheftcenter.org .
Funding for this project was provided by a grant from the California Consumer Protection Foundation. The ITRC thanks Databreaches.net for its invaluable assistance in finding sources for the information used in the breach report and the Maryland, New Hampshire Attorney Generals and the Consumer Privacy Office in posting notification letters.