Data Breaches Exposed More Than 35 Million Records in 2008

According to findings from the Identity Theft Resource Center, the number of reported data breaches in the United States in 2008 hit 656, nearly 50 percent more than in 2007. The organization puts the number of data records exposed at roughly 35.7 million, but concedes the actual number could be much higher.

The number of reported data breaches in the United States jumped nearly 50 percent in 2008, according to by the Identity Theft Resource Center.

All totaled, there were 656 breaches reported last year, up from 446 in 2007. While the 656 may not sound like a lot, they led to nearly 35.7 million records being exposed. More alarming, only 2.4 percent of all the data breaches had the information secured by encryption or other strong protection methods. Just 8.5 percent had the exposed data protected by passwords.

"Our sense is that two things are happening - the criminal population is stealing more data from companies and that we are hearing more about the breaches," the ITRC said in a statement. "ITRC has been tracking breaches since 2001. One thing we absolutely can say is that [data breaches are] not a new problem."

According to the study, 240 of the breaches happened in the business community. The ITRC lauded the financial sector as the most proactive group as far as data protections, as the study found the financial and credit industries accounted for only 78 of the breaches.

Data breaches happen in a variety of ways, from dramatic cases of hacking and insider theft to more mundane situations such as lost laptops. However, insider threats have risen to account for 15.7 percent of the reported breaches, more than double where it stood in 2007.

Due to the variance of breach notification laws in the United States, the numbers may only be the tip of the iceberg.

"While there were 35.7 million records potentially breaches according to the notification letters and information provided by breached entities, 41.9 percent went unreported or undisclosed, making the total number of affected records an unreliable number to use for any accurate reporting," according to the ITRC.