Search This Blog

Wednesday, February 11, 2009


If you thought you had seen the worst of the identity crisis, think again. A report just released by the Identity Theft Resource Center (ITRC) shows 656 breaches disclosed in 2008 compared to 446 in 2007, a whopping increase of 47 percent. Like The Dunning Letter has been saying since mid 2008, the bad guys are just getting started, and, unfortunately, they are getting better. ITRC breaks the breaches down into five groups: Business had 36.6%; Education 20%; Government 16.8%; Healthcare 14.8%; and Financial Institutions 11.9%. While Government improved from first to third, Business took over this unenviable position.

The most frightening figures proving the sheer recklessness of all data collectors is that only a pitiful 2.4 percent of all breaches had encryption, and just 8.5 percent had password protection. Folks, we are in year three of this identity dilemma which started when the ChoicePoint data hit the fan in February of 2005 and brought this whole mess out into the open. Apparently the term “what does it take” is completely lost on those who collect, manipulate and sell our names and personal data.

ITRC breaks data loss down into five methods: insider theft; hacking; data on the move; exposure; and subcontractor. Further, they divide the latter by financial institutions, general business, education, government and healthcare. In last Monday’s post, “JUNK MAIL NEEDS REGULATION…AND NOW!” I talked about data on the move in the junk mail industry, specifically from mailing list/data brokers. Hundreds of thousands of names and private information sent to the wrong address and never retrieved. It would be an ID thief’s dream if he or she knew how to locate this gold mine…and eventually they will learn.

Electronic breaches still maintain a significant lead over paper breaches: 82.3% versus 17.7%. Insider theft has doubled in 2008 over 2007, which leads me to believe that more employees are discovering the value of the sensitive data they handle. Although I have absolutely no confirmation that this has ever happened, it seems to me that it would be terribly easy, and almost impossible to detect, an intentional shipment of a storage disk with consumers’ private information to a pre-arranged “wrong address,” delivering it right into the hands of identity thieves.

ITRC reports that 41.9 percent of data breaches in 2008 went unreported; down from the last figure I could find where a 2006 Ponemon Research survey said it was 79 percent. The current estimate means that hundreds of breaches not being reported could be yielding the loss of millions of consumers’ personal records that we do not know of. When you combine that with the number of ID theft victims that do not report their loss, the results could be astronomical.

One of the recommendations from ITRC is that when sending data from one location to another, it should be encrypted. When only 2.4 percent of 2008 breaches had encryption, their suggestion sounds like a cry in the wilderness. Like we have learned over the last eight years, business is not going to regulate itself. Only federal legislation is going to get the job done, and we are fast running out of time.

No comments: