By Mark Jewell
Wednesday, January 2, 2008
Companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of personal data such as credit card and Social Security numbers with more sophisticated firewalls and encryption, but the investment often is too little, too late.
"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, an identity theft victim who founded the Identity Theft Resource Center.
Foley's group lists more than 79 million records reported compromised in the United States through Dec. 18. That compares with nearly 20 million records reported in all of 2006.
Another group, Attrition.org, estimates that more than 162 million records were compromised worldwide through Dec. 21. Attrition reported 49 million last year.
"It's just the nature of business that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."
But the biggest difference between the groups' record-loss counts is Attrition.org's estimate that 94 million records were exposed in a theft of credit card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls. The TJX breach accounts for more than half the total records reported lost in 2007 on both groups' lists.
With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. "Within a year or two, these folks are catching up," said Jay Tumas, the head of Harvard University's network operations.
The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.
Besides TJX's problem, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled r¿sum¿ contact information from a U.S. online jobs site.
"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Foley said. "This is human error and something that's completely avoidable, as opposed to a hacker breaking into your computer system."
Attrition.org and the Identity Theft Resource Center are the only known groups maintaining databases on breaches and trends each year. They've been keeping track for only a few years, with varied and still-developing methods of learning about breaches and estimating how many people were affected.
Despite those challenges, the two nonprofit groups say it is clear that 2007 was a record year for the amount of information compromised because of greater data loss and increased reporting of breaches.
Both groups acknowledge many breaches may be missing from their lists because they largely count incidents reported in news media that they consider credible. Media coverage has risen in part because of the growing number of states requiring businesses and institutions to publicly disclose data losses. Thirty-seven states, plus the District, have such requirements.