Identity theft breaches on the increase
According to a report from the Identity Theft Resource Center in San Diego, the number of publicly disclosed data breaches in the USA this year has already reached 449. By comparison, there were "only" 446 such incidents in the whole of 2007. It is thought that the records of 127 million customers were affected by these security breaches last year. 90 million of these can be laid at the door of the TJX retail chain and its T.J. Maxx discount stores. So far this year, the number of consumer records lost is believed to be at least 22 million. The true number may well be much higher, however, as in 41 per cent of cases the number of consumer records affected was not disclosed.
The identity theft experts from California view the disclosed information as just the tip of the iceberg. An article in the Washington Post says that around 44 states have laws requiring entities that suffer a data loss or breach to alert affected consumers. But only three states – Maryland, New Hampshire and Wisconsin – routinely publish those reports online. What is more, many companies or public agencies are not even aware that their databases have been breached, or if they are, they do not report it.
"The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken," said Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc. "A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight." In the last few weeks, the US Secret Service announced the investigation of a cybercrime group that may have hacked tens of thousands of credit and debit card accounts from Louisiana and Mississippi restaurants this year, allegedly leading to over $1M in losses for the banks that issued them. In early August, the US Attorney General’s office announced the indictments of 11 defendants who tapped the computer networks of a number of US retailers and came away with $40M worth of highly sensitive account details.
The Identity Theft Resource Center attributes nearly 13 per cent of data breaches to hacking, with customer data theft by company employees accounting for 15.6 per cent. Lost laptops and other digital media containing consumer data were responsible for 21 per cent of the breaches. 14 per cent involved the accidental publishing or dissemination of sensitive consumer data, while breaches attributed to subcontractors made up 11 per cent.
Earlier this year, the media reported that UK government departments had lost the personal data of four million people. The BBC has extracted this total from the various annual reports published by the individual departments since the beginning of the year. The total is believed to include the loss of 25 million claims for child benefit on two unencrypted disks, because the number of people affected was much lower than that the number of claims. At the beginning of last week, the Ministry of Justice admitted that it had lost the records of 45,000 people over the past year. Later in the week the Home Office announced that it had lost a USB stick containing ten thousand items of data on prisoners.
In Germany meanwhile, an unwelcome sales call from a furniture store caused an indignant consumer to trace how often his data, including address and phone number, had been traded. He traced the route taken by the data from the Deutsche Post through multiple intermediaries all the way to the Principality of Liechtenstein. While most of these companies recommended joining an opt-out list, such as the Mailing Preference Service and Telephone Preference Service, to block one's address for marketing purposes, one company, Schaedler Software, remarked that "we have looked on the internet again today and found your address – and telephone number – to be 'in the public domain'. The address is also currently available on several freely available telephone and information CDs. We cannot therefore exclude the possibility that your details have 'found their way' into other databases." The Liechtenstein-based data company itself claims to have filed the details under "out of date", presumably in a category called "multiple instances on the internet".
The aggrieved consumer complained that he had never released his data "for marketing purposes". His phone number and address appear to have been taken from the phone book or its digital equivalent.