Source: Identity Theft Resource Center
Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, according to the non-profit Identity Theft Resource Center (ITRC).
This is more than double the first quarter in 2007 (76 breaches).
This first quarter breach report is derived from the ITRC's breach database, designed specifically to quantify and track data breach incidents. Reported breaches from January 1 through March 31, 2008 potentially affect more than 8 million Americans, compared to the 54 million people reported in 2007, a number skewed by the TJX breach and "unknown or not disclosed" affected records. For this reason, ITRC looks more closely at the number of breaches rather than the number of records potentially exposed. Since 2005, the ITRC has recorded 1,083 breaches.
The 2008 ITRC Breach Report, as of 3/31/2008, reflects 167 reported breaches, more than 1/3 of the total number of breaches for calendar 2007. ITRC also categorizes these breaches into the following areas: Business (35.9%); Educational (25.2%); Government/Military (18%); Medical/Healthcare (13.8%); and Banking/Credit/Financial (7.2%). These 2008 Breach Reports are available on the ITRC website:
ITRC will also provide comparison information from previous years. In 2008, ITRC monitored paper vs electronic breaches, and insider theft vs data on the move. For this information, please contact the ITRC.
"What sets this breach list apart from others is the ITRC's assessment and evaluation of the potential risk to the personal identifying information," said Linda Foley, founder of the Identity Theft Resource Center. "Updated on a weekly basis, this breach list can be used as a reference by anyone to comprehend the depth and breadth of data loss. All sources of information are qualified before being listed on the report."
Jay Foley, ITRC Executive Director adds, "It is ITRC's philosophical belief that any breach is one too many breaches. It is with this concept in mind that ITRC continues to urge governmental entities and corporations into taking proactive measures to minimize their risk of a breach rather than dealing with the consequences of a breach after the fact."
In the digital age, the compromising of information continues to grow at an alarming rate. It is important to note, however, that while there may be more breaches being reported, ITRC believes it is premature to draw the conclusion that more breaches are occurring. The increase in number may be due to state mandatory reporting laws, corporate integrity or the fear of media exposure. Part of the increase may also have been due to legislation but ITRC does not advocate only legislative solutions. Many of the best proactive information handling protocols are coming from industry groups, often dictating higher standards than may be imposed by legislation.
What is clear is that those receiving breach notification letters are often being given incorrect directions or not enough information, based on a study by ITRC experts of more than 150 breach notification letters. This failure to accurately communicate with potentially affected populations is driving people away from on-line banking, e-commerce and creating a distrust of any entity that requests personal information such as Social Security number, dates of birth, medical insurance numbers and financial account numbers.
Introducing the Identity Theft Resource Center "Breach Response
The Identity Theft Resource Center (R), nationally recognized for its expertise on identity theft, has consistently held the view that both consumers and businesses are the dual victims of identity theft. As part of its outreach program to companies and governmental agencies, ITRC now provides Breach Response Services including recommendations for notification letters, first responder call center training, website FAQs, and assistance in establishing clear communications by the breached entity. These measures lead to improved public relations. The purchase of consumer products is NOT a pre- requisite for ITRC breach response services.