Digital Transactions Authoritative, insightful and timely information for payments professionals
At first glance, a review of the data-breach scene in 2010 shows signs of improvement, or at least stabilization, according to figures from the Identity Theft Resource Center (ITRC). Although the total number of reported breaches increased to 662 from 498 in 2009, the number of records known to have been exposed fell from 223.1 million to 16.2 million.
ITRC, a San Diego-based non-profit, sorts data about compromised payment cards and bank accounts into two of its five major categories: banking/credit/financial and business. In banking/credit/financial, the number of reported breaches slipped slightly to 54 from 57 in 2009, though the number of records exposed rose to 4.85 million from 8,364. In the business category, which includes merchants and processors that suffered payment card data breaches, reported breaches increased 34% to 279 from 208 in 2009 but the number of records exposed fell to 6.63 million from 132.4 million.
IRTC presents its data based on when data breaches are first reported, though the compromises may have occurred one or more years earlier. The 2009 records figure was inflated by the huge data breach reported in January of that year by merchant processor Heartland Payment Systems Inc., a breach that compromised an estimated 130 million debit and credit cards. Heartland accounted for 98% of the records compromised in the business category in 2009.
Some 170 of 2010’s breaches, or 26% of the total, involved credit or debit cards, and those breaches resulted in 29% of the known records compromised. Those figures represent the first time ITRC has broken out card data, according to ITRC founder Linda Foley. Also, 412, or 62%, of breaches involved Social Security numbers representing 76% of known records.
Hacking into computer systems accounted for 17.1% of reported breaches last year. What the IRTC calls “data on the move,” the theft or loss of laptops, flash drives, CDs, and other storage devices containing unencrypted data, accounted for 16.6%. Some other major methods of compromise include insider actions, 15.4%, and accidental exposure, 10.7%.
All the data come with a big asterisk, however. Many breaches come to light only because of media reporting or through mandates from the 46 states that have some form of data-breach reporting law, according to Foley, who estimates only 10% to 15% of breaches are actually reported. Plus, state laws vary in their requirements, as does the public’s access to the information states collect. Only five states, Maryland, New Hampshire, Vermont, Maine, and Wisconsin, make the data they collect “public in a meaningful way,” Foley tells Digital Transactions News. She does say that the state laws probably have shed more light on small breaches that previously went unreported.
Just 51% of publicly reported breaches indicated the number of records exposed and 38.5% did not state the manner of compromise, according to the ITRC. Foley’s solution: a strong federal data-breach reporting law.
Foley predicts cybercrime will increase in coming years, as will insider data thefts. “It’s the path of least resistance,” she says.
Asked if she thinks better technology and tighter data-protection practices spurred by the Payment Card Industry data-security standard (PCI) have had an effect, Foley says, “I hope so. The problem is that the IT person does understand. Then they have to convince the money people, the bean counters, that the investment [in security] is worthwhile. That’s where they get tripped up.”
ITRC also tracks data breaches at educational institutions, governmental bodies, and medical providers.
