ASSOCIATED PRESS
December 31, 2007
The loss or theft of personal data such as credit-card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to reverse anytime soon, as hackers stay a step ahead of security and laptops disappear with sensitive information.
And while companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment is often too little, too late.
"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity-theft victim herself.
A growing number of states require businesses and institutions to publicly disclose data losses. Thirty-seven states and Washington, D.C., now have such requirements.
Ms. Foley's group lists more than 79 million records that were reported compromised in the U.S. alone through Dec. 18 -- almost four times the nearly 20 million records reported in all of 2006.
Another group, Attrition.org, estimates that more than 162 million records were compromised through Dec. 21 -- both in the U.S. and overseas. Attrition reported 49 million last year.
"It's just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."
The biggest difference between the two groups' record-loss counts relates to the breach at TJX Cos. Attrition.org estimates that 94 million records were exposed in the theft of credit-card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls.
The Identity Theft Resource Center counts about 46 million -- the number of records that TJX acknowledged in March were potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit that banks filed against TJX.
On each list, though, the TJX breach represents more than half the total records reported lost this year.
The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami -- an entry point that led the hackers to eventually break into TJX's central databases.
TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."
With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information-security professionals.
"Within a year or two, these folks are catching up," Mr. Tumas said.
The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.
In addition to the theft at TJX, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled résumé contact information from a U.S. online jobs site.
"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Ms. Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."
Attrition.org and the Identity Theft Resource Center have been keeping track of data breaches for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.
Despite those challenges, the two nonprofits say it is clear 2007 will end up a record year for the amount of information compromised, because of greater data loss and increased reporting of breaches.
The two groups acknowledge that many breaches may be missing from their lists, because they largely count incidents reported in news outlets that they consider credible. Media coverage has risen in part because of the growing amount of legislation.
December 31, 2007
The loss or theft of personal data such as credit-card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to reverse anytime soon, as hackers stay a step ahead of security and laptops disappear with sensitive information.
And while companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment is often too little, too late.
"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity-theft victim herself.
A growing number of states require businesses and institutions to publicly disclose data losses. Thirty-seven states and Washington, D.C., now have such requirements.
Ms. Foley's group lists more than 79 million records that were reported compromised in the U.S. alone through Dec. 18 -- almost four times the nearly 20 million records reported in all of 2006.
Another group, Attrition.org, estimates that more than 162 million records were compromised through Dec. 21 -- both in the U.S. and overseas. Attrition reported 49 million last year.
"It's just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."
The biggest difference between the two groups' record-loss counts relates to the breach at TJX Cos. Attrition.org estimates that 94 million records were exposed in the theft of credit-card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls.
The Identity Theft Resource Center counts about 46 million -- the number of records that TJX acknowledged in March were potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit that banks filed against TJX.
On each list, though, the TJX breach represents more than half the total records reported lost this year.
The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami -- an entry point that led the hackers to eventually break into TJX's central databases.
TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."
With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information-security professionals.
"Within a year or two, these folks are catching up," Mr. Tumas said.
The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.
In addition to the theft at TJX, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled résumé contact information from a U.S. online jobs site.
"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Ms. Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."
Attrition.org and the Identity Theft Resource Center have been keeping track of data breaches for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.
Despite those challenges, the two nonprofits say it is clear 2007 will end up a record year for the amount of information compromised, because of greater data loss and increased reporting of breaches.
The two groups acknowledge that many breaches may be missing from their lists, because they largely count incidents reported in news outlets that they consider credible. Media coverage has risen in part because of the growing amount of legislation.
No comments:
Post a Comment