The Identity Theft Resource Center (ITRC) is a not-for-profit organization dedicated to “the understanding and prevention of identity theft”.
IRTC has been recording data breaches by category, type, and number of records accessed since 2005. Data breaches are instances when Personally Identifiable Information is unprotected and could represent an opportunity for someone to steal your identity. They even separate those data breaches across Data on the Move, Accidental Exposure, Insider Theft, Subcontractors, and Hacking and they update their data every Tuesday. This is wonderful raw data…and if you haven’t perused it before quite scary.
If identity theft has happened to you or you are afraid of identity theft you better stop reading now.
In the first 6 months of 2009 alone there have been 268 reported breaches with 12,322,887 records exposed. Not every breach reports the number of records exposed so the actual number is probably substantially higher. Consider the following table:
| # of Breaches | # of Records | % of Breaches | % of Records | |
| Medical/Healthcare | 35 | 8,656,673 | 13.1% | 70.2% |
| Government/Military | 48 | 2,929,158 | 17.9% | 23.8% |
| Educational | 39 | 420,235 | 14.6% | 3.4% |
| Business | 113 | 292,039 | 42.2% | 2.4% |
| Banking/Credit/Financial | 33 | 24,782 | 12.3% | 0.2% |
| 268 | 12,322,887 |
Business by category have by far the highest number of breaches by percentage but a very low percentage of records exposed. When you examine the data in detail you discover that less than half of those breaches have “unknown” next to the number of records exposed.
Medical/Healthcare is low by percentage for breaches but highest by records exposed. This is largely due to one breach - Virginia Department of Health Professions - with over 8M records exposed. In this particular case the thieves are demanding a ransom for the data!
So how does this compare to 2008? Actually we are better off than last year. Assuming the second half of 2009 is like the first half we’d be somewhere between 2007 and 2008. According to the ITRC
“…2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.”
And here are a few more interesting tidbits from IRTC for 2008
“… only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.”
And finally a comment buried deep in their explanation for what constitutes a data breach:
“When records are encrypted, we state that we do not (at this time) consider that to be a data exposure. However, we do not consider password protection as adequate, and we do consider those events to be a data exposure.”
Is it time to resurrect Dave Kearn’s Passwords and Buggy Whips discussion?
Posts
0 comments:
Post a Comment