Data Breaches Show Worrisome Growth

President Barack Obama last month called for a national data-breach notification law to replace the existing patchwork of state notification rules. If current trends continue, there will be plenty of breaches to report.

The number of credit and debit cards compromised in data breaches hit 64.4 million in 2014, up 38% from 46.6 million in 2013, according to preliminary figures from the Identity Theft Resource Center, a San Diego-based non-profit that tracks breaches.

Some 133 of 2014’s breaches involved payment cards, versus 96 card breaches in the prior year. Those numbers don’t include a “potential data breach” that chicken-sandwich restaurant chain Chick-fil-A confirmed it was investigating as 2015 dawned.

For both 2014 and 2013, a single retailer breach dominated the tallies. The Home Depot Inc. confirmed in September that 56 million payment cards had been compromised after malware was placed on its point-of-sale systems. Minneapolis-based Target Corp. said 40 million cards were exposed in the breach that it confirmed in December 2013.

Karen Barney, program director at the ITRC, says the total number of 2014’s data breaches tracked by her organization as of Dec. 30 was 764, up 24% from 614 in 2013. Some 83.2 million consumer records, including cards, were compromised last year, an increase of 34% from 62 million in 2013.

One reason breach disclosures are increasing is that more compromises at hospitals and doctors’ offices are becoming known thanks to more-stringent reporting requirements from the federal Department of Health and Human Services, according to Barney. More than 40% of 2014’s breaches involved medical providers, she says.

Barney declines to speculate about the causes of 2014’s big increase in card-related breaches. “There are just way too many variables,” she says. “They can be anything.”

The ITRC monitors data-breach sources and methodologies, such as computer hacking, criminal acts by employees, and other tactics. Malware planted on POS systems was a common source of breaches affecting retailers, including Target’s in addition to Home Depot’s.

Hacking accounted for 29% of 2014’s known breaches and compromised more than 60 million records, including payment cards. Subcontractors were involved in fewer than 5% of data breaches.

The ITRC also breaks down breached organizations by type, placing retailers in its “businesses” category. Businesses accounted for 33% of 2014’s breaches and 79% of records compromised. Banks, credit providers, and other financial institutions represented 5.5% of breached entities but only 1.4% of records compromised.

Several retailer groups, on the one hand, and the Independent Community Bankers of America, a small-bank trade group, on the other, are engaged in a war of words over who’s responsible for the recent rash of data breaches.

Most of the information the ITRC uses comes from states with breach-disclosure laws as well as media reports. Tracking breaches is an inexact science. Barney says 37% of 2014’s known breaches do not have publicly reported figures about the numbers of records compromised.

Data breaches were continually in the news over the past year not only because of Target’s hack as last year began, but also because they just kept on coming, prompting Congress to hold a series of hearings probing weaknesses in data security.

Retailer breaches affected upscale department store Neiman Marcus, 1.1 million cards compromised; crafts chain Michaels and its Aaron Brothers affiliate, 3 million cards; office-products retailer Staples, 1.2 million; Goodwill Industries, with an estimated 868,000 card numbers exposed, and more.

Far into the year, the consumer reaction to Home Depot’s massive breach seemed muted and some observers began speaking of “breach fatigue” even though the home-improvement retailer’s breach was bigger than Target’s.

—Jim Daly