Digital Transactions Authoritative, insightful and timely information for payments professionals
The number of credit and debit cards compromised in data breaches hit 64.4 million in 2014, up 38% from 46.6 million in 2013, according to preliminary figures from the Identity Theft Resource Center, a San Diego-based non-profit that tracks breaches. Some 133 of 2014’s breaches involved payment cards, up 39% from 96 breaches in the prior year.
For both years, a single retailer breach dominated the tallies. The Home Depot Inc. confirmed in September that 56 million payment cards had been compromised after malware was placed on its point-of-sale systems. Minneapolis-based Target Corp. said 40 million cards were exposed in the breach that it confirmed in December 2013.
Karen Barney, program director at the ITRC, tells Digital Transactions News that the total number of 2014’s data breaches tracked by her organization as of Dec. 30 was 764, up 24% from 614 in 2013. Some 83.2 million consumer records, including cards, have been compromised this year, an increase of 34% from 62 million in 2013.
One reason the total number of publicly known breaches is increasing is that more compromises at hospitals and doctor’s offices are becoming known thanks to more-stringent reporting requirements from the federal Department of Health and Human Services, according to Barney. More than 40% of 2014’s breaches involved medical providers, she says.
Barney declines to speculate about the causes of 2014’s big increase in card-related breaches. “There are just way too many variables,” she says. “They can be anything.”
The ITRC monitors data-breach sources and methodologies, such as computer hacking, criminal acts by employees, and other tactics, but it hasn’t yet fully examined 2014’s numbers. Malware planted on POS systems, however, was a common source of breaches affecting retailers, including Target’s in addition to Home Depot’s. Hacking accounted for 29% of 2014’s known breaches and compromised more than 60 million records, including payment cards. Subcontractors were involved in fewer than 5% of data breaches.
The ITRC also breaks down breached organizations by type, placing retailers among its “businesses” category. Businesses accounted for 33% of 2014’s breaches and 79% of records compromised. Banks, credit providers and other financial institutions represented 5.5% of breached entities but only 1.4% of records compromised. Several retailer groups and the Independent Community Bankers of America, a small-bank trade group, are engaged in a war of words over who’s responsible for the recent rash of data breaches.
Most of the information the ITRC uses comes from states with breach disclosure laws as well as media reports. Tracking breaches is an inexact science—Barney says 37% of 2014’s known breaches do not have publicly reported figures about the numbers of records compromised.
Data breaches were continually in the news over the past year not only because of Target’s hack as the year began, but also because they just kept on coming, prompting Congress to hold a series of hearings probing weaknesses in data security. Retailer breaches affected upscale department store Neiman Marcus, 1.1 million cards compromised; crafts chain Michaels and its Aaron Brothers affiliate, 3 million cards; office products retailer Staples, 1.2 million; Goodwill Industries, with an estimated 868,000 card numbers exposed, and more. By the time Home Depot’s breach came along, the consumer reaction seemed muted and some observers began speaking of “breach fatigue” even though the home-improvement retailer’s breach was bigger than Target’s.
