The Privacy Rights Clearinghouse (PRC) says its running tally of data breaches shows nearly 94 million instances of data being exposed in less than two years of tracking such events, a veritable red flag of private information at risk.
The PRC said its tally shows the total number of records containing sensitive personal information involved in security breaches now stands at 93,754,333.
All of those instances came after the February, 2005 disclosure from ChoicePoint that apparent identity thieves had created bogus user IDs and infiltrated its database of consumer information.
The updated tally includes thousands of instances of data exposure in the past month alone, including 9,250 customer credit card numbers exposed by apparel retailer Life is Good, and hundreds of student records exposed at several colleges and universities across the country.
Meanwhile, government agencies continued to be a major source of concern for privacy advocates in the area of data security, with published reports saying that some 1,100 laptop computers belonging to the U.S. Commerce Department have gone missing since 2001, including almost 250 from the Census Bureau that could contain names, incomes and Social Security numbers.
Federal government agencies have been under fire since the Veterans Administration revealed that a laptop computer stolen from a worker’s home had put tens of millions of veterans’ information at risk.
Recent trends indicate that the causes of data thefts and losses are generally low-tech, with human error far more likely to be responsible than hacking or computer flaws, according to PRC Director Beth Givens.
“The latest trend to show up is the loss of memory sticks,” Givens said, referring to portable USB drives that are often used to transport data among various computers. “I don’t think it’s anything new that they are being lost or stolen. But they are now being reported, at least, and affected individuals are being notified.”
Hacking incidents still occur, however. In August, AT&T disclosed that 19,000 customers who had purchased DSL equipment from its online store had had their credit card numbers and other personal information revealed when hackers broke into a database.
Still, far more records have been exposed by low-tech means, such as backup tapes being lost en route to storage facilities, laptops being stolen or misplaced, and the inadvertent printing and distribution of customer names and credit card numbers, as happened to newspapers in the New York Times chain earlier this year. In early September, Circuit City said a third-party credit card service mistakenly discarded 5 computer data tapes containing information on 2.6 million past and current Circuit City credit card holders.
Consumers Growing Wary?
That so much data is being compromised in non-hacking ways may help mute the impact of such data theft on the growth of e-commerce.
“A good many of the breaches on our list are low-tech — lost or stolen laptops and memory sticks, lost backup tapes, dumpster diving — rather than hacking into e-commerce sites,” Givens said.
Still, the constant drum beat of bad news about data breaches, privacy issues and identity theft can only serve to give some people pause about their online activities, said Forrester Research analyst Carrie Johnson. The impact of such data breaches in the past may have been lost in the dramatic growth of e-commerce, but as the industry matures, it faces increasing risks from such issues, she noted.
Smaller, lesser-known sites may be more likely to feel the impact, as consumers worried about identity theft seek to minimize the number of times they give out their credit card or related data online, Johnson noted.
Meanwhile, Givens declared that the PRC’s list — which also includes instances where no personal data was at risk, though those incidents are not counted in the 93.7 million figure — is largely the result of voluntary disclosures.
Following the ChoicePoint revelation, California passed the country’s first mandatory notification law, requiring that all potentially impacted consumers be notified of data breaches. More than 20 states have followed suit, and while efforts to pass a national notification law have stalled, Givens said full notice is now considered best practice in the industry.