Digital Transactions Authoritative, insightful and timely information for payments professionals
Despite a seemingly non-stop parade of headlines about data breaches last year, the number of credit and debit card records compromised actually fell, according to new figures from the Identity Theft Resource Center. The ITRC says it identified 111 data breaches that exposed 3.38 million records in 2011.
n
n
In 2010, the first year that the ITRC broke out credit and debit cards as a separate category, some 170 breaches compromised 4.66 million payment cards. The 2011 breaches involving payment cards represented 27% of the 419 breaches tracked by the ITRC and 15% of the total 22.9 million records exposed, says program director Karen Barney.
n
n
The year 2012 is off to a dubiously fast start in data breaches with Amazon.com Inc.’s Zappos shoe and apparel subsidiary earlier this week reporting a breach involving data about 24 million customers. Hackers got access to information that included the last four digits of customers’ credit cards, but full card data were not compromised, according to Zappos.
n
n
As in previous years, the ITRC cautions that its data are incomplete because breached companies and organizations often fail to divulge any information, or only partial information, about the incidents. The group has no information about the types of records involved in 171, or 41%, of all of 2011’s breaches, Barney says.
n
n
The ITRC, a San Diego-based non-profit, gathers its information about breaches from state disclosures mandated by law, media reports, company statements, and other sources, according to Barney. In addition to payment card numbers, the types of data typically exposed in data breaches can include bank-account numbers, Social Security numbers, e-mail addresses, user names and passwords, health records and other personal information. Experts estimate that only a fraction of compromised records actually result in fraud, but when they do they can cause major headaches for consumers.
n
n
The biggest reported breach of 2011 at a merchant that involved credit and debit cards apparently was the one at restaurant wholesaler Restaurant Depot LLC, which compromised at least 200,000 payment cards. Other notable ones were at the Michaels craft-store chain, which compromised an unknown number of cards but caused the company to replace hundreds of point-of-sale terminals; and at the Lucky supermarket chain. Both the Michaels and Lucky breaches arose from skimmers placed on POS terminals that captured card data.
n
n
Banks and other financial institutions sustained 15 known breaches in 2011, 4% of the total, that compromised an estimated 365,948 records, not quite 2% of the all compromised records. Some 360,000 of those involved North American credit card accounts at Citigroup Inc., according to media reports.
n
n
Attorney Lisa Sotto, an IRTC director who heads the global privacy and information-security practice at Hunton & Williams LLP in New York City, says, “We’ve certainly seen some very sophisticated attacks” involving credit and debit cards. “The challenge is the criminals are so sophisticated and getting more so that data security is becoming a [technological] race.” Human error affects all aspects of types of data security, she adds, and an increasing concern is coming from what security experts call “advanced persistent threats,” or APT. That’s a fancy term for state-sponsored data thefts and related crimes.
