We Did It!
Google Revises Its Behavioral Advertising Opt-out For Consumers

By The Numbers: Not A Good Year For Data Breaches

Are there more or less data breaches this year?

To answer this, I downloaded and analyzed the data breach records published by the Privacy Rights Clearinghouse, Since 2005 data breaches have exposed about 234 million records with sensitive consumer personal information (e.g., Social Security Numbers, etc.). For perspective, the U.S. Census Bureau reported the U.S. resident population at 299 million in 2006.

Data breaches occur in all industries: corporations, colleges and universities, hospitals, federal agencies, and state or local governments. This breach activity includes sensitive personal data accidentally released to the public, lost, hacked, or stolen. Some records cover the same individual multiple times.

But what are the latest trends?

In 2007, there were about 329 data breach events, which exposed about 116 million records. In my opinion, both of those numbers are low, since the companies in about 26% of the breach events do not disclose the number of consumers affected or records lost/stolen. So, 329 breaches with 116 million records exposed is the best case or most optimistic scenario.

Through July of 2008, there have been 209 data breach events with about 21.7 million records exposed. If that trend continues, the year-end 2008 totals would be about 358 data breach events... about 9% higher than 2007. If that trend continues, the estimated year-end number of records exposed, lost or stolen would be about 37.2 million, far lower than 2007.

If that seems like good news, it isn't. First, the number of data breach events is still going up; at just under a 9% percent annual increase. You'd think that companies and federal agencies would have learned by now to implement better data security measures. Sadly, this doesn't seem so, especially since the FTC is conducting data security workshops for small business.

Also, the number of records exposed during a breach event varies widely. Remember, the 2007 total of records exposed included about 94 million records from one breach event: the TJX Cos. /T.J. Maxx breach. So, all it would take is another large breach to easily match or exceed last year's total. Remember, that all of the details haven't come out yet about the ID-theft ring arrested recently. This ID-theft ring alone may be responsible for more than 41 million stolen credit cards... not included in the above July month-to-date total.

What troubles me, the percent of breach events where the company refuses to disclose the number of consumers affected or records exposed, has remained constant at about 26%. Here's a list of some of the companies that refused to disclose the number of records lost or stolen in 2008:

  • January 5: New Mexico State University (Las Cruces, NM)
  • January 7: Sears ManageMyHome.com (Cook County, IL)
  • January 16: University of Wisconsin at Madison (Madison, WI)
  • January 23: Baylor University (Waco, TX)
  • January 24: OmniAmerican Bank (Ft. Worth, TX)
  • February 10: Administrative Systems, Inc (Seattle, WA)
  • February 15: Lexmark International (Lexington, KY)
  • February 18: First Magnus Financial (Ft. Lauderdale, FL)
  • March 10: Texas Department of Health and Human Services (Austin)
  • March 15: Sterling Insurance and Associates (Aspen, CO)
  • March 29: Georgia Department of Human Resources (Atlanta)
  • April 14: Utah Department of Workforce Services (Salt lake City)
  • April 15: First Federal Bank of California (Los Angeles, CA)
  • April 15: Fiserv, Inc. (Brookfield, WI)
  • April 20: Helping Homeless Veterans and Families Hoosier Veterans Foundation (Indianapolis, IN)
  • April 22: University of Massachusetts (Boston, MA)
  • April 24: Harmony Information Systems (Madison, WI)
  • June 4: AT&T (San Antonio, TX)
  • June 10: First Source bank (South Bend, IN)
  • June 15: Conn. Department of Administrative Services (Hartford)
  • June 18: Domino's Pizza (Tucson, AZ)
  • June 19: Petroleum Wholesale (Houston, TX)
  • June 19: CitiBank (NY, NY)
  • June 23: bank Atlantic (Tampa Bay, FL)
  • July 9: Wichita Radiological Group (Wichita, KS)
  • July 29: Anheuser-Busch (St. Louis, MO)

What don't these companies understand about honest and transparent communications?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Dataminers Stink

Data breach? Or just plain DATA MARKETING, for many of these companies? Despite responding to the relentless Privacy Notifications that companies now pelt us with, those same corporations are frequently selling our info behind our backs, against our stated wishes. This is a DATA BREACH of the worst kind: Not only is our private data breached, but we ourselves, as good-faith customers, are VIOLATED and EXPLOITED.

What is it about the term "YOUR INFORMATION" that these data-mining companies do not understand?! "MY INFORMATION" means it is MINE--I get to decide what happens with it, not some legalese mumbo-jumbo Privacy Policy that the corps fail to adhere to anyway, even after we jump through their hoops to try to protect our privacy.

We're sick and tired of credit card companies, insurance companies, telephone companies, banks, lenders, DMV, SSA, and so on, GIVING OUT OUR PRIVATE DATA, with no real PUNISHMENT! What good is a few months' of credit monitoring or a class action lawsuit that MIGHT provide a small cash settlement?!

The DAMAGES done by violating people's privacy far outweigh any of these slap-wrist solutions when these privacy violators do get caught and have to "pay." For those who have worked HARD all their lives to be private and avoid harassment or stalking, these kinds of relentless privacy violations create havoc, destroy peace of mind, cause disruptions in their lives and sometimes put them at risk of physical harm--and it is high time that the government start TRULY PUNISHING the dataminers and others who are harvesting and disseminating our private info without our knowledge and without our permission. (Unfortunately, all too often, it is the GOVERNMENT/Feds who are the biggest client of these datamining outfits and data-breaching companies!)

WHERE can we begin to protest this ongoing violation of our privacy rights? Consumers need to become more vocal and protest the privacy violations and data-breaching that is going on in USA.

In the meantime, those who feel upset by this ongoing trashing of privacy in America should start to "vote" by closing their accounts with all agencies who indulge in this dirty business of datamining and selling our private info. It's time to get tough!

George

Dataminers Stink raised some very valid concerns in his post above. Also, the Bush Administration would like to make permanent the expanded surveillance powers it has grabbed for, to spy on citizens without reasonable suspicion or probable cause. Read:

http://www.nytimes.com/2008/08/21/washington/21fbi.html

Moreover... the more data collected, the more data that can be abused after a data breach. Ask your Congressional representatives what the government is doing to protect the data it colects.

George
http://ivebeenmugged.typepad.com

The comments to this entry are closed.