SAN DIEGO (9/4/08)--The number of data breaches for 2008 so far has surpassed the final total of 446 reported in all of 2007--more than four months before the end of 2008. That’s not good news for credit unions and other financial institutions forced to reissue credit and debit cards to protect their members from identity theft and fraud related to data breaches of other companies. As of Aug. 22, the number of confirmed data breaches in 2008 was 449, said the Identity Theft Resource Center (ITRC). The actual number of breaches is likely higher due to under-reporting last year and because some of the reported breaches affecting multiple businesses are listed as single events, the ITRC said. ITRC is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness about identity theft. ITRC recognizes that 449 breaches in less than a year is a small number when compared with the total number of businesses, government, health, banking and educational institutions that have databases. The growth in the number of breaches from year to year can no longer be solely attributed to required reporting laws and media investigative work, the ITRC noted. Part of the growth of the ITRC’s breach list is due to the ability to access state attorney general notification lists, which contain breaches that were not reported via media or other sources, noted Linda Foley, ITRC founder. “If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern,” Foley said. “At this time, only three states publish such information. “Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected,” Foley added. “The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken,” said Avivah Litan, vice president and analyst, Gartner Inc. “A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight.” The ITRC breach list is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as pogowasright.org, phiprivacy.net, The Breach Blog and attrition.org. To qualify, breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers. The purpose of the ITRC breach list is to study:
* What are the weak links in security that might lead to a breach? * What policy changes need to be considered? * What protocols need to be established and then taught to all employees, including the highest ranking executive? and * Can risk levels be predicted or reduced?