Data Breaches Skyrocketed in 2008

The Identity Theft Resource Center (ITRC) monitors five groups for data breaches annually. It found that the financial, banking, and credit industries have remained the most proactive groups in data protection over the past three years. Businesses accounted for about 37 percent of the breaches, the highest number of any of the five groups studied. The government/military category has dropped nearly 50 percent since 2006, moving from the highest number of breaches to the third highest.

Malware attacks, hacking, and insider theft accounted for about 30 percent of breaches. On its own, insider theft more than doubled between 2007 and 2008, the ITRC reported, accounting for more than 15 percent of breaches. But breaches related to data-in-motion and accidental exposure, which are categorized as human errors, declined in 2008 compared with 2007, though they still accounted for about 35 percent of incidents.

Only 2.4 percent of all breaches involved data when encryption or other strong protective measures were in place, and only 8.5 percent involved password protection, the ITRC reported. "It is obvious that the bulk of breached data was unprotected by either encryption or even passwords," the study states.

In all, the ITRC found about 36 million records were potentially breached in 2008, based on figures derived from the notification letters and information provided by breached entities. But almost 42 percent of the reported incidents did not include an estimated number of victims.

Given the statistics, the ITRC urges organizations to minimize the number of people who have access to personally identifiable information and require encryption for all mobile data storage devices that contain identifying information. In addition, organizations should limit the number of people who may take information out of the workplace and set safe procedures for data storage. Another critical practice is encrypting data and records before sending them from one...