3 min read

Corporate America More Dangerous Than Hackers?

One researcher says it's corporate America, not hackers, that's putting our personal and financial information in jeopardy, and it's now at the rate of 6 million lost records a month.
Hackers simply are getting a bum rap.

According to one university professor's calculations, by year's end the 2 billionth personal record -- Social Security number, address, or medical history -- will be compromised. And it won't be because of the malicious efforts of a hacker. It will be at the hands of corporate America.

That's the take of Phil Howard, an assistant professor at the University of Washington. By his calculations, electronic records in the United States this year are bleeding at the rate of 6 million a month. That's up about 200,000 a month from last year.

Because of the mandatory reporting process established by California, "we've actually been able to get a much better snapshot of the spectrum of privacy violations," Howard said in a written statement. "And the surprising part is how much of those violations are organizationally prompted. They're not about lone wolf hackers doing their thing with malicious intent."

Howard bases his projections on a review of breached-record incidents as reported in major U.S. news media between 1980 and 2006, according to a release. The total through last year stood at 1.9 billion -- or roughly nine records per American adult.

And Howard says his numbers are conservative. The report, which he co-authored with Kris Erickson, a University of Washington geography doctoral student, delved into the flood of escaping records and some of the related dynamics. The report is slated to appear in the July edition of the Journal of Computer-Mediated Communication.

The study also found:

  • Hacker intrusions account for 31% of the 550 confirmed incidents between 1980 and 2006. Sixty percent were attributable to organizational mismanagement, such as missing or stolen hardware. The balance of 9% was put off to unspecified breaches.
  • Likely as a result of laws mandating that companies report data losses, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).
  • The education sector -- primarily colleges and universities -- amounted to less than 1% of all lost records but accounted for 30% of all reported incidents. Both researchers say this is because of the culture of information sharing at most colleges and universities.

When analyzing the past 25 years, Howard reportedly found that three out of five reported incidents point to organizational malfeasance of some variety, including missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Pam Baker, Contributing Writer
James M. Connolly, Contributing Editor and Writer
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Greg Douglass, Global Lead for Technology Strategy & Advisory, Accenture
Carrie Pallardy, Contributing Reporter