(San Diego, CA  April 19, 2011):  The Identity Theft Resource Center® has found that hacking accounted for the largest number of breaches in 2011 year-to-date.  Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems.   This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

 

Note that these numbers do not include the recent hackings of enormous quantities of email addresses from companies.  Email addresses alone do not pose a direct threat as long as consumers realize that they are more susceptible to phishing scams.  Phishing scams try to trick readers into providing personal information that can be used for identity theft.

Paralleling the ITRC breach report finding is the recently released Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010.  This may partially explain why the ITRC observation of increased hacking has occurred so quickly.

Additionally, a new survey by McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees.   ITRC views these as two different types of breaches.  Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company.   However, the insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager.  “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.  As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.”

The business community seems to be taking the brunt of hacking attacks, according to published reports of breaches.   In fact, 53.6% of all breaches on the ITRC report were business related.   The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military,”, and “Medical/Healthcare” all dropped in their respective percentage of reported breaches.

Unfortunately, it is still difficult to ascertain the true cause of many breaches due to entities publicly stating “the information was stolen” or “due to theft.”  Additionally, nearly half of breached entities did not publicly report the number of potentially exposed records.  Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.  This was probably due to mandatory reporting by HHS.  Since other entities do not have that type of requirement, it is likely that entities in other categories also had breach events with large record exposure numbers that went publicly unreported.

No conclusions can be drawn yet about how this year will compare to prior years.  The one thing that is consistent, year after year, is that data breaches will occur.  These events are outside the realm of consumer control.  Due to our individually broad electronic “footprints”, our Social Security numbers and financial account numbers are in a vast pool of information that can be breached.  The responsibility for protecting this personal identifying information is fully on those who request and store it.  All entities that collect personal information need to understand and embrace the concept that only they can safeguard our information and that this safeguarding must be an urgent priority.

Not only are hackers winning, but so are the thieves who steal unattended laptops and dig into dumpsters behind companies for paper data.  Breaches just don’t happen, they are allowed to happen.  ITRC will continue to track, analyze and report on the situation of breaches of personal information.

About the ITRC

The Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft.  Visit www.idtheftcenter.org.  Victims may contact the ITRC at 888-400-5530.

Click to download the attached file(s):

(San Diego, CA: April 19, 2011)  According to the “Weather Channel”, tornado season in the U.S. lasts from April through July, with May and June being the peak months.   The Identity Theft Resource Center (ITRC) wishes to alert the public to several potential identity theft-related situations that might arise from such a natural disaster. This information is based on previously observed criminal behavior in disaster situations.

If your information is missing after a tornado, don’t panic.  The information could be so badly destroyed that no one could use the information.  However, that being said, here are some valuable tips to help prevent the loss or exposure of your personal information.

  • Individuals:  Keep your tax and insurance papers, financial records, medical identification cards and items with Social Security numbers in a portable locked box that can easily be taken with you if you must evacuate or move into an underground shelter.  Prepare your computer for transport, or remove the hard drive and put it in your locked box.
  • Individuals:  If you find you will be housed in a community shelter, do not leave the items in your locked box unwatched under any circumstances.  The good news is you have a cache of important information to help you recover.  The bad news is this is a tempting target for an identity thief.
  • Companies:  Keep locked files with personal identifying information in the safest place of your building space.  Should you return and find this information missing for whatever reason, immediately contact law enforcement. Then contact, if possible, the affected parties so that they can place fraud alerts on their credit reports.
  • Be aware and wary of scams.  Fraudsters will often use a disaster situation to exploit victims.  They may contact disaster victims stating that company databases were damaged, and that they need critical information to reconstruct the accounts that were affected.  This is a “phishing” scam, whether by phone, text, or email.  No creditable companies or government agency will contact consumers in this manner.  Often scammers pretend to be a relief group collecting money.  Only send money to relief groups after you have validated the group as well as the address/account that is to be used to collect donations for relief.  Well established groups, such as the Red Cross, are the best bet.
  • Should you find documents belonging to others that contain sensitive personal information, immediately turn them over to a law enforcement agency, be it local or federal.  Remember use of personal identifying information belonging to others is a criminal act.  Help prevent that crime by doing the right thing.

The ITRC remains committed to stopping identity thieves from adding to the human tragedy of any disaster.

About the ITRC

The Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft.  Victims may contact the ITRC toll-free at 888-400-5530 or visit us online at www.idtheftcenter.org .

Contact:  media@idtheftcenter.org