Driven by legislation that requires the disclosure of breaches, companies and government agencies acknowledged this year that information from a record number of accounts was lost.
The exact number of records lost in 2007 is unknown, but two organizations have tracked the size of breaches reported in the media. According to Attrition.org's Data Loss database, more than 163 million records were reported lost or stolen by third parties in 2007. The Identity Theft Resource Center, which also tracks reported breaches, put the size of reported privacy losses at more than 127 million records for the year. The data lost or stolen included credit-card information, usernames and passwords, e-mail addresses, and full identity information, such as social-security number, name, address, and date of birth.
"Identity theft continues to thrive despite efforts by governmental agencies, businesses, consumer advocates and law enforcement," the ITRC said in a statement announcing its 2007 data. "As a crime of opportunity, identity thieves keep finding ways to steal becoming more sophisticated and skilled at their craft."
Among the major reported losses, retail giant TJX Companies, announced in January that online thieves had stolen at least 46.5 million records in a compromise of its systems that lasted nearly 18 months. The size of the breach reached more than 94 million, according to testimony given by Visa and Mastercard executives in August. In another major loss, the U.K.'s tax agency, HM Revenue & Customs, lost sensitive identity information of more than 25 million children and their families in November when two disks containing the data were lost in the mail.
Large breaches that garnered nationwide media attention made up the lion's share of the data reported lost in 2007. While the average number of records lost per breach topped 600,000 in Attrition.org's database, the typical breach -- calculated as the median of the data -- involved about 6,000 records. In 2006, nearly 50 million records were reported lost or stolen.
In many cases, breaches reported in 2007 involved losses or theft from previous years.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos