Data Breaches Are Up 69% This Year, Nonprofit Says

By Brian Krebs Staff Writer
Tuesday, July 1, 2008

Businesses, governments and universities reported a 69 percent increase in data breaches in the first half of 2008 compared with a similar period in 2007, according to a study by a nonprofit group that works to prevent fraud.

The Identity Theft Resource Center in San Diego tracked 342 data breach reports from Jan. 1 to June 27. More than one-third of the reports came from businesses, a 27 percent increase over business breaches for all of 2007.

The center found that data breaches among health-care providers and banks also increased. They now account for 15 percent and 10 percent of the breaches, respectively. Breaches from educational institutions, government entities and the military declined for the third year in a row, the center found.

Yet Linda Foley, the center's co-founder, said it is difficult to say whether the numbers show an increase in breaches, an increase in reporting, or both. She said better state laws on data breach notification also might be encouraging more companies to audit their own security measures.

"Part of this may be that organizations are finding out about more breaches because they're really starting to look for them," Foley said. "The other part is that companies are coming forward because they want to control the flow and spin of the disclosure."

Hacking was the least-cited cause of data breaches in the first six months of this year. Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the center found. The inadvertent posting of personal and financial data online prompted roughly 15 percent.

Although the share of breaches from laptops and other mobile media fell nearly 8 percentage points from last year, breaches caused by information stolen by someone inside the company increased from 6 percent in all of 2007 to nearly 16 percent so far this year. An additional 13.5 percent of breaches came from subcontractors who lost or stole their clients' customer data.

The breaches studied this year involved almost 17 million consumer records. Foley said the true number of records jeopardized by those breaches is probably far higher. In nearly 40 percent of the breaches, the companies have not disclosed how many consumer records were lost or stolen.

Some 44 states and the District now have laws requiring companies and organizations that experience a data loss or breach to alert affected consumers.

But Foley said that just three states -- Maryland, New Hampshire and Wisconsin -- require reporting to state officials and routinely publish that information online.

Notices filed within those three states have in many cases amounted to the first public disclosure of data breaches, but they also expose the gaps in the disclosure laws, Foley said.

On June 9, the United Transportation Union Insurance Association notified the Maryland attorney general that the loss of an employee laptop jeopardized the names and Social Security numbers of 394 Maryland residents. The group hasn't previously disclosed how many records nationwide were affected by the breach, but spokesman Frank Wilner estimated that the number exceeds 30,000.

Wilner said his organization would support one of several bills before Congress designed to create a federal breach notification law that would standardize state requirements and potentially centralize reporting of breaches.

"We had to put our law department to work for three days just to figure out what to do because of the hodgepodge of state laws," Wilner said. "More time was spent researching various state laws than trying to figure out how to remedy the problem."

© 2008 The Washington Post Company