Contact: Linda Foley, firstname.lastname@example.org, 858-693-7935 x 101
8:45 am - 4:30 pm Pacific Time
Breaches Blast ’07 Record
As of August 22, ITRC’s list surpasses 446 documented breaches
San Diego, CA (August 22, 2008): Today, the total number of breaches in on the Identity Theft Resource Center’s 2008 breach list surpassed the final total of 446 reported in 2007, more than 4 months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event.
ITRC recognizes that 449 breaches in less than a year is a small number when compared to the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 449 data exposure events are still too many. It should be noted that the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work.
Linda Foley, ITRC Founder, attributes part of the growth to the ITRC’s breach list to the ability to access state Attorney General notification lists which contain breaches that were not reported via media or other sources. “If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern. At this time, only three states publish such information. Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected.”
“The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken,” said Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc. “A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight.”
In the last few weeks, the US Secret Service announced the investigation of a cybercrime group that may have hacked tens of thousands of credit and debit card accounts from Louisiana and Mississippi restaurants this year, allegedly leading to over $1 million in losses for the banks that issued them.
Also, on August 5, 2008 the US Attorney General’s office announced the indictments of 11 defendants who tapped the computer networks of TJX Cos.' Marshalls, BJ's Wholesale Club Inc., Barnes & Noble Inc. bookstores, Sports Authority, Boston Market Corp., OfficeMax Inc., Dave & Buster's restaurants, DSW Inc. shoe stores and Forever 21.
“These two cases highlight our increasing vulnerability to the theft of personal information. Unsecured networks are a friendly target for such groups. Additionally insider theft, data on the move and inadvertent posting of personal information to websites add to the problem. Breaches are not simply the result of malicious attacks but also of human error and poor information handling procedures,” stated Rex Davis, ITRC’s Director of Operations.
“It is critical that law enforcement, governmental agencies, businesses, consumers and legislators understand the causes of breaches. With this in mind, the ITRC has continued to create new database tools to better analyze breach information. When we understand how data is exposed or stolen, we can avert many breaches because of improved security procedures and safer information handling,” explained Jay Foley, ITRC Executive Director.
It should be noted that the ITRC does not place an inordinate weight on the count of records exposed. While the ITRC breach list reflects compromised records of more than 22 million, in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.
The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as pogowasright.org, phiprivacy.net, The Breach Blog and attrition.org. To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.
The purpose of the ITRC breach list is not to point a finger at any one company; rather it is to study the problem of breaches. What are the weak links in security that might lead to a breach? What policy changes need to be considered? What protocols need to be established and then taught to all employees, including the highest ranking executive? Can risk levels be predicted or reduced?
About the ITRC
The Identity Theft Resource Center® (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Additionally, ITRC has a complete breach response program to help businesses prepare for a breach, or respond to a data exposure event. Visit www.idtheftcenter.org
Funding for this project was provided by a grant from the California Consumer Protection Foundation.