Information management is critically important to all of us - as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us to educate consumers and businesses on the need for understanding the value of protecting personal identifying information.
2005 to September 22, 2015
Number of breaches = 5,593
Number of Records = 828,937,722
The ITRC breach list is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday. Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, medical information, and even email addresses and passwords. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.
What is a breach? The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed.
There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents detailed information about data exposure events along with running totals for a specific year. Breaches are broken down into five categories, as follows: business, financial/credit/financial, educational, governmental/military and medical/healthcare. The ITRC Breach Stats Report provides a summary of this information by category. Other more detailed reports may be generated on a quarterly basis or as dictated by trends.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of additional sub-categories by what happened and what information (data) was exposed. What they all have in common is they usually contain personal identifying information (PII) in a format easily read by thieves, in other words, not encrypted.
The ITRC currently tracks seven categories of data loss methods:
● Insider Theft ● Hacking ● Data on the Move ● Subcontractor/Third Party
● Employee Error/Negligence ● Accidental Web/Internet Exposure ● Physical Theft
The ITRC currently tracks four types of information compromised:
● Social Security number ● Credit/Debit Card number ● Email/Password/User Name ● Protected Health Information (PHI)
ITRC has been tracking and compiling statistics on data breaches since 2005. Our findings are reported below:
|2009 Data Breaches|
|2013 Data Breaches||2008 Data Breaches|
|2012 Data Breaches||2007 Data Breaches|
|2011 Data Breaches||2006 Data Breaches|
|2010 Data Breaches||2005 Data Breaches|
Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.
We include, in each reported data breach item, a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.
When the number of records exposed is not reported, we note that fact. When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. We do, however, consider “password protected” as not sufficient protection under most circumstances, and do post these events as breaches.
As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is aware that many breaches go unreported, and we are certain that our ITRC Breach List underreports the problem. One thing we can say with certainty is that this is NOT a new problem.
Other websites and resources for data breaches include: