Are there more or less data breaches this year?
To answer this, I downloaded and analyzed the data breach records published by the Privacy Rights Clearinghouse, Since 2005 data breaches have exposed about 234 million records with sensitive consumer personal information (e.g., Social Security Numbers, etc.). For perspective, the U.S. Census Bureau reported the U.S. resident population at 299 million in 2006.
Data breaches occur in all industries: corporations, colleges and universities, hospitals, federal agencies, and state or local governments. This breach activity includes sensitive personal data accidentally released to the public, lost, hacked, or stolen. Some records cover the same individual multiple times.
But what are the latest trends?
In 2007, there were about 329 data breach events, which exposed about 116 million records. In my opinion, both of those numbers are low, since the companies in about 26% of the breach events do not disclose the number of consumers affected or records lost/stolen. So, 329 breaches with 116 million records exposed is the best case or most optimistic scenario.
Through July of 2008, there have been 209 data breach events with about 21.7 million records exposed. If that trend continues, the year-end 2008 totals would be about 358 data breach events... about 9% higher than 2007. If that trend continues, the estimated year-end number of records exposed, lost or stolen would be about 37.2 million, far lower than 2007.
If that seems like good news, it isn't. First, the number of data breach events is still going up; at just under a 9% percent annual increase. You'd think that companies and federal agencies would have learned by now to implement better data security measures. Sadly, this doesn't seem so, especially since the FTC is conducting data security workshops for small business.
Also, the number of records exposed during a breach event varies widely. Remember, the 2007 total of records exposed included about 94 million records from one breach event: the TJX Cos. /T.J. Maxx breach. So, all it would take is another large breach to easily match or exceed last year's total. Remember, that all of the details haven't come out yet about the ID-theft ring arrested recently. This ID-theft ring alone may be responsible for more than 41 million stolen credit cards... not included in the above July month-to-date total.
What troubles me, the percent of breach events where the company refuses to disclose the number of consumers affected or records exposed, has remained constant at about 26%. Here's a list of some of the companies that refused to disclose the number of records lost or stolen in 2008:
- January 5: New Mexico State University (Las Cruces, NM)
- January 7: Sears ManageMyHome.com (Cook County, IL)
- January 16: University of Wisconsin at Madison (Madison, WI)
- January 23: Baylor University (Waco, TX)
- January 24: OmniAmerican Bank (Ft. Worth, TX)
- February 10: Administrative Systems, Inc (Seattle, WA)
- February 15: Lexmark International (Lexington, KY)
- February 18: First Magnus Financial (Ft. Lauderdale, FL)
- March 10: Texas Department of Health and Human Services (Austin)
- March 15: Sterling Insurance and Associates (Aspen, CO)
- March 29: Georgia Department of Human Resources (Atlanta)
- April 14: Utah Department of Workforce Services (Salt lake City)
- April 15: First Federal Bank of California (Los Angeles, CA)
- April 15: Fiserv, Inc. (Brookfield, WI)
- April 20: Helping Homeless Veterans and Families Hoosier Veterans Foundation (Indianapolis, IN)
- April 22: University of Massachusetts (Boston, MA)
- April 24: Harmony Information Systems (Madison, WI)
- June 4: AT&T (San Antonio, TX)
- June 10: First Source bank (South Bend, IN)
- June 15: Conn. Department of Administrative Services (Hartford)
- June 18: Domino's Pizza (Tucson, AZ)
- June 19: Petroleum Wholesale (Houston, TX)
- June 19: CitiBank (NY, NY)
- June 23: bank Atlantic (Tampa Bay, FL)
- July 9: Wichita Radiological Group (Wichita, KS)
- July 29: Anheuser-Busch (St. Louis, MO)
What don't these companies understand about honest and transparent communications?