Record Number Of Data Breaches Reported In 2007

Researchers with the Identity Theft Resource Center cited 443 breaches in the U.S. in 2007 in their annual report, compared to the 315 they identified in 2006.

Thomas Claburn, Editor at Large, Enterprise Mobility

December 31, 2007

3 Min Read
InformationWeek logo in a gray background | InformationWeek

The number of publicly reported data breaches in the U.S. rose by more than 40% in 2007, compared to the previous year, according to statistics compiled by the Identity Theft Resource Center (ITRC), a consumer rights advocacy group.

In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches.

Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records.

The ITRC will have to update its list to reflect breaches reported during the last seven days of the year, something organization founder Linda Foley said would happen next week.

On Friday, the Tennessean.com reported that someone broke into a Davidson County election office over the Christmas holiday and stole laptops believed to contain the Social Security numbers and other personal information for more than 337,000 registered voters in the Tennessee county.

That same day, the Pioneer Press in Minnesota reported that a laptop containing the personal information of 219 Minnesotans had been stolen from a Pennsylvania vendor doing business with the Minnesota State Commerce Department.

Also on Friday, television station WSFA in Montgomery, Alabama reported that the U.S. Air Force had sent letters to current and former service members whose Social Security numbers, birth dates, addresses, and telephone numbers were on a laptop that was stolen from the home of an Air Force band member based at Bolling Air Force Base in Washington D.C. The station subsequently reported that the missing laptop contained the personal information of 10,501 individuals.

The rise in reported breaches may not be exclusively a reflection of rising data thievery. The ITRC speculates that in addition to an increase in data theft, more data breaches are being reported to the public. And it remains to be seen whether 2007 proves to be a high water mark for data loss, given that the T.J. Maxx breach accounted for 94 million of the 127 million exposed customer records.

Foley reluctantly characterized 2007 as the worst on record from a statistical perspective, but cautioned that the T.J. Maxx breach skews the statistics. "I don't know whether we're seeing more breaches because there's mandatory reporting or because there are more," she said, adding that 39 states and the District of Columbia now require organizations to report data breaches.

But even if 2007 proves to be an aberration, the costs associated with data breaches appear to be rising. According to a study released in November by the Ponemon Institute, an information practices consultancy, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.

And that perhaps explains why Cisco, Google, Raytheon, Symantec, Trend Micro, and Websense have all made acquisitions in the past year or so to strengthen their data loss protection offerings. A Gartner report in May estimated that the $50 million data leak protection market measured in 2006 would as much as triple by the end of 2007.

Foley nonetheless expressed optimism, noting that in regulated industries like finance and healthcare, there are far fewer breaches than in other areas of business. "Both are highly regulated industries with a number of government agencies looking over their shoulders," she said. "[But] a lot of the businesses still have not learned how to handle information correctly."

As an example, she points to the fact that only 13 of the data breaches out of 443 reported to date this year involved encrypted data, which is far less vulnerable to unauthorized access or misuse.

While 2007 could fairly be called the year of the data breach, Foley prefers to think of it as the year of data breach awareness. "I think there is a greater awareness this year that is going to have a ripple effect over the next couple of years," she said. "And hopefully that is going to bring the number of breaches down."

Read more about:

20072007

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights