Data Breaches Rising

Posted by Mark Brousseau

An interesting article from the Washington Post on the rising number of data breaches:

Data Breach Reports Up 69 Percent in 2008
By Brian Krebs

Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts.

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

While the share of breaches due to data on the move fell nearly eight percent from last year, that slack was picked up by insider theft. Data breaches due to information stolen by someone inside the company increased from just six percent of the total in 2007 to nearly 16 percent so far this year. Another 13.5 percent of breaches came from subcontractors who lost or stole their clients' customer data.

The 342 breaches the ITRC studied from this year involved almost 17 million consumer records. But ITRC founder Linda Foley said the true number of records jeopardized by those breaches is likely far higher, because in nearly 40 percent of the breaches the affected entity has not yet disclosed how many consumer records were lost or stolen.

Some 44 states and the District of Columbia now have laws requiring entities that suffer a data loss or breach to alert affected consumers (according to the ITRC, the states without data breach notification laws are Alaska, Alabama, Iowa, Kentucky, Mississippi and South Dakota). But Foley said only three states -- Maryland, New Hampshire and Wisconsin - require reporting to state officials and routinely publish that information online.

Breach notices filed with those three states have in many cases amounted to the first public disclosure of data breaches, but they also expose the gaps in those disclosure laws, Foley said.

On June 9, for example, the United Transportation Union Insurance Association notified the Maryland Attorney General that the loss of an undisclosed number of laptops jeopardized the names and Social Security numbers of 394 Maryland residents. However, the association has not yet said how many consumer records from all states were included on the missing laptops.

On May 8, Saks Inc. notified Maryland that the theft of four laptops had resulted in the loss of the name, address and Saks Fifth Avenue credit card numbers belonging to 2,391 Maryland residents. Saks similarly told the New Hampshire Attorney General's office that the breach affected 163 of that state's residents. Saks has not yet said how many customers nationwide may have been impacted by the lost laptops.

While a data breach may be reported as a single incident, it often masks the true number of institutions affected by the incident. This is most often the case with contractor breaches, such as one first publicly reported to the Maryland Attorney General's office on June 13. That notification was sent by attorneys for technology news media outlet CNET Networks, who said they were told that computer equipment stolen from Colt Express Outsourcing Services Inc., a California company that administers benefit plans to businesses across the country, resulted in the loss of records bearing the names, dates of birth and Social Security numbers of 6,500 CNET current and former employees and dependents.

Colt officials have declined to say how many total consumer records may have been affected, but several other businesses have reported receiving notifications from Colt over the past few weeks.

"It's a little like if you see a major pileup on the freeway, there's that one car that caused the whole accident, and then there are bunch of other innocent third parties that are affected due to the domino effect," Foley said.