Data Breaches Up Almost 50 Percent, Affecting Records of 35.7 Million People

By Brian Krebs Staff Writer
Tuesday, January 6, 2009

Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to a nonprofit group that works to prevent identity fraud.

Identity Theft Resource Center of San Diego is set to announce today that some 656 breaches were reported in 2008, up from 446 in the previous year. Nearly 37 percent of the breaches occurred at businesses, while schools accounted for roughly 20 percent of the reported incidents.

The center also found that the percentage of breaches attributed to data theft from current and former employees more than doubled from 7 percent in 2007 to nearly 16 percent in 2008.

"This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders," said Linda Foley, the center's co-founder. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent."

Amir Orad, chief marketing officer for Actimize, a fraud prevention company in New York, said he has seen increased interest from an array of organizations, particularly banks, looking for technology to help them detect the potential threat from employees.

"We recently had a mid-sized institution in the U.S. that wanted to do a test of technology to help them monitor employee activities, and that ended up with two employees being arrested. That's the type of outcome we did not see two years ago," Orad said. "I'm certain that some of the broad industry interest in this threat is the result of greater awareness of the problem and an active investment in catching bad guys, but I'm also sure that some of the incidents are the result of employees feeling the pinch from the recession."

The largest single cause of data breaches came from human error, the center found. Lost or stolen laptops and other removable electronic devices, along with the accidental exposure of consumer data -- such as the inadvertent posting of personal data online -- were named as the cause for more than 35 percent of reported incidents.

Computer hacking and software that steals data were blamed for nearly 14 percent of breaches.

Foley said annual statistics mask the extent of the problem; many businesses fail to report data breaches. While 45 states require that consumers be notified of any loss or theft of private records, there are multiple notification exceptions that vary by state.

What's more, Foley said, nearly 42 percent of organizations that disclosed a data breach or loss last year did not divulge the number of consumer records that might have been jeopardized.

© 2009 The Washington Post Company