Data Breaches Have Surpassed Level for All of '07, Report Finds

About 90 million of the 127 million consumer records reported breached last year were attributed to TJX Companies, which operates T.J. Maxx stores.
About 90 million of the 127 million consumer records reported breached last year were attributed to TJX Companies, which operates T.J. Maxx stores. (Stephan Savoia -- Associated Press)
  Enlarge Photo    
By Brian Krebs Staff Writer
Tuesday, August 26, 2008

More data breaches have been reported so far this year than in all of 2007, according to a report released yesterday by a nonprofit group that works to prevent fraud.

Identity Theft Resource Center of San Diego found that 449 U.S. businesses, government agencies and universities have reported a loss or theft of consumer data this year. Last year, the center tallied 446 breaches involving 127 million consumer records. About 90 million of those records were attributed to a single retail chain, TJX, which operates T.J. Maxx stores.

Officials said they do not know whether there have been more breaches this year or if there is better reporting of the incidents.

So far this year, at least 22 million consumer records have been the target of data breaches, according to the report. But resource center founder Linda Foley cautioned that the true number of records affected is likely far higher, noting that in 41 percent of the cases the number of consumer records affected was not disclosed. What's more, Foley said, many businesses are not reporting data breaches or are not aware of them.

In addition, she said, a single breach report often involves data belonging to multiple businesses.

In April, software vendor SunGard Higher Education disclosed that a lost laptop exposed the names, Social Security numbers, birth dates and driver identification numbers of students from at least 18 colleges in Connecticut and New York. The company has not yet disclosed the full scope of the breach, but has since notified a number of schools from other states, including Maryland and Virginia, that their students also have been affected.

"We're still hearing about colleges that have been affected," Foley said.

About 44 states and the District have laws requiring entities that suffer a data loss or breach to alert affected consumers. But only three states -- Maryland, New Hampshire and Wisconsin -- routinely publish those reports online, Foley said.

According to the identity theft center, malicious attacks were the leading cause of data breaches this year. Nearly 13 percent were attributed to hacking, while customer data theft by company employees accounted for 15.6 percent. Lost laptops and other digital media containing consumer data comprised 21 percent of the breaches. Fourteen percent involved the accidental publishing or dissemination of sensitive consumer data, while breaches attributed to subcontractors made up 11 percent.

Kevin Mandia, founder of Mandiant, an Alexandria firm that helps companies investigate and respond to data breaches, said the spike in disclosures this year may be related to the recent arrest of several cyber criminals thought to be responsible for some of the most high-profile theft of data to date.

"The number of cases referred from law enforcement in years past was much smaller," Mandia said.

Earlier this month, federal prosecutors announced indictments against 11 people alleged to have taken part in stealing more than 40 million credit- and debit-card account numbers from nine nationwide retailers, including TJX, BJ's Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Boston Market and Dave & Busters restaurant chain.

© 2008 The Washington Post Company