The Identity Theft Resource Center said 662 data breaches reported in 2010 is not the actual number and that mandatory reporting is required for consumers to protect themselves.
were 662 reported data breaches in 2010, of which most involved thefts of
Social Security data, according to a report from the Identity
Theft Resource Center.
actual number is considerably higher because current regulations in the United
States don't require all data breaches to be
disclosed, the group said. "Other than breaches reported by the media and
a few progressive state Websites, there is little or no information available
on many data breach events," said the ITRC.
many organizations disclosed exactly how many customers or actual records were
compromised, many didn't say anything at all. The report found that only half
of the reported data breaches included information about the number of records
compromised, totaling 16.1 million records. While that is a staggering amount
of data, the fact that it reflects only half of the breaches and that the
records do not equal the number of people affected underscores "ingrained
inaccuracy" in reporting breaches, the ITRC said.
reported a data breach on Dec. 28 affecting 2.2 million customers but didn't
disclose the total number of records compromised. Thieves stole customer names,
e-mail addresses and vehicle identification numbers from an e-mail marketing
provider Honda partnered with, but the full magnitude of the breach is still
unknown at this point.
a "mandatory national reporting requirement," many data breaches will
continue to be "unreported, or under-reported," the group said.
numbers have fluctuated over the years, as there were 498 breaches reported in
the United States
in 2009, compared with 657 reported in 2008 and 446 incidents in 2007. The
group estimated that more than 222 million records were compromised in 2009.
a majority of the data breaches, about 62 percent of reported incidents, Social
Security numbers were stolen, according to the report. In contrast, credit card
and debit card details were stolen in 26 percent of the reported incidents.
mandatory reporting has been helpful in learning about medical data breaches,
the Department of Health and Human Services neglected to provide information
about the types of records that were compromised, the report said. Of the 214
medical data breaches, "the public has no way" of knowing whether
names or Social Security numbers were included in the exposed data, the ITRC
theft still accounts for more data breaches than mere human error, the report
found. About 17 percent of the data breaches were the result of someone hacking
the systems, with insider thefts close behind at 15 percent. A fraud
report by London-based consultancy Kroll recently said information theft is
most likely to be an "inside job" with junior employees as well as
senior management the most common perpetrators.
breaches accounted for nearly a fifth of known breaches, but for about 38
percent of incidents, it was not clear how the thieves accessed the data,
according to the report.
happen," the ITRC wrote, but the government and the business community
"need to stop acting like ostriches with their heads in the sand,"
with their refusal to publicize the breaches. It's also "not
acceptable" to decide whether or not to notify the public based on the
company's concept of "risk of harm," as thieves can continue using
the stolen data months after the original exposure, the authors said.
states have mandated reporting all breaches, but the law applies only if the
state's residents are affected. In 2010, New Hampshire
listed 96 breaches and Maryland
had 160, the report found.
sightseeing firm CitySights NY
reported a database breach that compromised credit card numbers belonging to
110,000 customers on Dec. 9. However, it was required to only notify the attorney
generals in Massachusetts and New
Hampshire because 2,150 of the affected customers
were residents of those two states, which mandate reporting. While TwinAmerica,
the parent company, is investigating the breach, there is no other information
available about the other affected customers.
29 percent of the total breaches were publicized because of the "mandatory
reporting" rules in some states, the report said. "Mandatory
reporting is on the horizon. It will be demanded either by consumer lobbying or
legislation," the group said.