Digital Transactions Authoritative, insightful and timely information for payments professionals
Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. “I'm not sure that this says breaches are increasing,” ITRC founder Linda Foley tells Digital Transactions News. “What we know is the reporting of breaches is increasing.” A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings?break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10?double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a breach. In the business category, the number of hacking-related breaches on record so far is 18 compared with 25 in 2007. ITRC pegs the number of records compromised at 4.22 million, with nearly all of that consisting of card numbers illegally accessed in the breach at grocery chain Hannaford Bros. Inc. (Digital Transactions News, March 17). Two disturbing recent breaches saw thieves obtain personal identification numbers for debit cards. In the bigger one involved Citibank-branded ATMs owned by Cardtronics Inc. and placed in 7-Eleven Inc. convenience stores. Fiserv Inc. processes transactions from some of the machines, but whose systems were actually compromised is in dispute. Citibank and Fiserv insist theirs were not, according to published reports. Nevertheless, hackers stole PINs from an unknown number of customers' cards and apparently netted millions of dollars. The federal government has brought charges against three suspects in U.S. District Court in Manhattan. In the second incident, hackers broke into a server containing debit card information about South Bend, Ind.-based 1st Source Bank's customers (Digital Transactions News, June 3). While there are many questions about what's behind the rise in breach reports, Foley says electronic thieves are displaying increasing skill. “Hackers are getting more proficient, not only just in breaches of personal identifying information, but … they are getting proficient at corporate information as well,” she says. Foley predicts the 2008's breach totals will match 2007's by September.
