It's a Record Year for Data Breaches

With Four Months to go, 2008 Breaches Already Surpass 2007's With four months to go in 2008, the number of data breaches on the Identity Theft Resource Center's ( Breach List has already passed the 446 breaches reported by ITRC for all of 2007.

Last Friday, the number of data breaches hit 449. ITRC's founder Linda Foley cautiously says this milestone is a little frightening, "knowing that we're four months ahead of last year." The real number of breaches reported may be even higher because of under-reporting and the inclusion of multiple companies under one breach.

The results that ITRC sees may be influenced by the recent permission to access several state attorney generals' databases on breach notification. "This access helps us to know about breaches that we (and the public at large) would not have known about otherwise," Foley says.

The ITRC's intent on making this breach information known is not to expose a company's shortcomings in information security or mistakes leading to data breaches. "We're not taking the information to turn around and say 'Naughty Naughty' to the company that was breached," she explains, but rather to help the ITRC look at more breaches, over a period of years and see more of the causes and common themes of these breaches. "The more we're able to see this, we'll know what can be done to better control them," she notes.

With research from such groups as ID Analytics, the Ponemon Institute and Verizon and ITRC's own research, data breaches are divided into two types: The malicious and the inadvertent mistake or leak of information (poor information handling). In the case of the malicious attack, "We already know that encryption and securing your network makes a difference."

The companies that have the secure networks and have the individual hard drives encrypted as well as the data in motion and at rest on servers are not being targeted.

Foley recommends that it is good corporate decision making to take this approach. "The companies that are doing this are putting a stake in the ground and are saying "You [hacker] are not taking anymore of our data."

It also behooves financial institutions to have written policies in place limiting access to sensitive information. While some companies, including financial institutions, may have limited access to data for staff, "There is the need to continue work," Foley says. "But if someone is taking computer files home to work on them over the weekend, do they need those social security numbers? Probably not."

The message from ITRC in light of the new milestone is: Breaches are happening, but they're not being taken seriously. "A couple of years ago we were saying there were 150 breaches, then 300, and it's ratcheting up here," Foley says. "Someone has to draw a line in the sand and say - enough is enough. When do we learn from history?"

Additional types of ITRC Breach Reports are available at:

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.