2018 Data Breaches: Click Here
2017 Data Breaches: Click Here
Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us to educate consumers and businesses on the need for understanding the value of protecting personal identifying information.
January 1, 2005 to November 30, 2018 (cumulative totals)
Number of Breaches = 9,668
Number of Records Exposed = 1,643,148,162
The ITRC Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published monthly. Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, medical information, and even email addresses and passwords. ITRC follows U.S. Federal guidelines about what combination of personal information comprise a unique individual, and the exposure of which will constitute a data breach.
What is a breach? The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, Driver’s License number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of compromised records included in the cumulative total.
There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents detailed information about data exposure events along with running totals for a specific year. Breaches are broken down into five categories, as follows: business, financial/credit/financial, educational, governmental/military and medical/healthcare. The ITRC Breach Stats Report provides a summary of this information by category. Other more detailed reports may be generated on a quarterly basis or as dictated by trends.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of additional sub-categories by what happened and what information (data) was exposed. What they all have in common is they usually contain personal identifying information (PII) in a format easily read by thieves, in other words, not encrypted.
The ITRC currently tracks seven categories of data loss methods:
● Insider Theft ● Hacking / Computer Intrusion ( includes Phishing, Ransomware/Malware and Skimming) ● Data on the Move ● Physical Theft ● Employee Error / Negligence / Improper Disposal / Lost ● Accidental Web/Internet Exposure ● Unauthorized Access
Please note that the Subcontractor/Third Party/BA category is no longer identified as a “method” for a breach but is coupled with one of the types of the breaches above.
The ITRC currently tracks various types of information compromised:
● Social Security number ● Credit/Debit Card number ● Email/Password/User Name ● Protected Health Information (PHI)
● Driver’s License ● Financial Accounts ● Other/Undefined type of records
ITRC has been tracking and compiling statistics on data breaches since 2005. Our findings are reported below or you can view the multi-year chart:
|2016 Data Breaches||2012 Data Breaches||2008 Data Breaches|
|2015 Data Breaches||2011 Data Breaches||2007 Data Breaches|
|2014 Data Breaches||2010 Data Breaches||2006 Data Breaches|
|2013 Data Breaches||2009 Data Breaches||2005 Data Breaches|
Regarding the rules of inclusion, the ITRC has given a considerable amount of thought to the development of the criteria used when assessing breaches and the integrity of its sources. For example, breaches that occurred in any given year or a previous year are included in the year in which the breach was publicized. Each selected incident is required to have been reported to a state Attorney General’s office or published by a credible media source, such as TV, radio, press, etc. The item will not be included at all if ITRC is not certain that the source is real and credible. Larger breaches often have multiple attributions, and we usually cite more than one source.
We include, in each reported data breach item, a link or source of the article, and the information presented by that article. Many times, we have attributions from a multitude of media sources and outlets. ITRC adheres to the facts as reported, and does not alter the previously published information. We always attempt to provide live links back to the original article, but these remain good only as long as the source retains the article at that web URL.
As an authority on data breach exposures, the ITRC is frequently asked if there are more security breaches now than ever before. This question is hard to answer. More companies are revealing that they have had a data breach, either due to laws or public pressure. It is the opinion of the ITRC that the criminal population is stealing more data from companies, AND data breaches are being more frequently publicized. ITRC is also aware that many breaches go unreported, and as a result of we are certain that our ITRC Breach List under-reports the problem. One thing we can say with certainty is that this is NOT a new problem.
Other websites and resources for data breaches include:
Questions about the Identity Theft Resource Center’s Data Breach reporting? Email us at email@example.com