First, the bad news: Data breaches continue unabated at U.S. corporations, governments and universities, already surpassing last year’s record 446 breaches, according to the Identity Theft Resource Center. Through the end of September, the total number of data breaches recorded by the ITRC was 516, averaging 57 breaches a month.
Now, the even worse news: The numbers are underreported.
According to the ITRC, subcontractor breaches, which affect multiple businesses, are listed as a single event. As for the number of individuals affected by the breaches, it’s anyone’s guess. ITRC’s current report reveals that 58.2 percent of breach events published the number of records involved, but that 41.9 percent of those having data exposures did not disclose the number of records potentially exposed.
Nevertheless, of those reporting breaches and the number people affected there have been roughly 30 million records exposed through the first three quarters of 2008.
As the ITRC states, “It is difficult to draw conclusions from the number of records exposed since we don’t know the number of records involved in almost 42 percent of the breaches.”
The San Diego-based, non-profit ITRC tracks breaches in five categories. Businesses led in breaches for the second consecutive year, accounting for 36.4 percent of all U.S. breaches. Following enterprise breaches were educational (21.3 percent), government/military (15.7 percent), health and medical (15.1 percent) and the financial industry (11.4 percent).
For businesses, 2008 represents the third consecutive year of data breach increases, jumping from 28.9 percent in 2007 and 21 percent in 2006. Colleges and universities, on the other hand, are on pace to reduce breaches for the third consecutive year after accounting for 28 percent in 2006 and 24.8 percent in 2007.
Government and military data breaches also declined for the third year in a row, dropping from a 2006 mark of 30 percent and a 2007 record of 24.6 percent.
ITRC further categorizes data into five types of data breach scenarios: insider theft, mobile, subcontractor, outside hacking and accidental exposure. Mobile data losses through laptops, thumbscrew drives and PDAs have accounted for the largest number of breaches both in 2008 (20.3 percent) and 2007 (27.8 percent).