As is all too common, only a small minority of data lost was encrypted (less than 3%) or protected by a password (less than 9%). The ITRC lists 656 breaches in 2008, a marked increase on its 2007 report containing details of 446 breaches. It should be noted however, that although as a generalisation across the different U.S. states there is an obligation on organisations to report breaches of sensitive data to the relevant authorities and their customers or affected individuals, some organisations do not reveal the number of data records affected by the breach, and hence the number of records exposed could well be much higher than 35 million.
The reported breaches have arisen in a variety of ways, from theft of laptops and hacking, to badly handled data, accidental disclosure and issues with subcontractors. The breaches involved companies from the private sector as well as public entities. Nearly a quarter of the breaches reported originated from educational institutions. However, government and military breaches have decreased by nearly 50% since 2006. Perhaps this would suggest that public bodies are starting to lead the way with improved data handling rules and procedures.
As to whether data breaches are on the increase, it is hard to tell from the report, as due to public pressure or data breach laws, more and more companies are going public with breaches, making it difficult to differentiate the increase in reporting from an increase in crime. However, the ITRC commented on its website “Our sense is that two things are happening – the criminal population is stealing more data from companies and that we are hearing more about the breaches.”
ITRC is a non-profit organization with the aim of understanding and preventing identity theft. The ITRC provides consumer and victim support as well as public awareness. The ITRC also advises governmental agencies (the U.S. Department of Justice Office for Victims of Crime is a sponsor), legislators, law enforcement, and businesses about identity theft.
For those who relish the thought of 201 pages of data breaches from companies large and small including “Big Momma’s Day Care”, “Geeks.com”, “Spicy Pickle in Portage” and “Camp Starfish”, Datonomy encourages you to click through to the 2008 Breach Report. Also, you can peruse the 2008 Breach Stats Report, which includes the percentages for each entity category (business, financial/credit, educational, governmental/military and health care).