US reaches milestone: 100 million records exposed

By on

Two months after the U.S. population reached 300 million people, the nation realised a more troubling statistical milestone when the nonprofit organisation, Privacy Rights Clearinghouse today reported that more than 100 million records have been exposed since the ChoicePoint data breach.

That means roughly one in three Americans has been exposed to the risk of identity theft since the Alpharetta, Ga.-based data broker revealed thieves gained illegal access to 163,000 customer records in February 2005.

The actual number of breaches is higher than 100 million, according to Beth Givens, founder and director of the PRC, who told SCMagazine.com that "for most of the breaches we report, the number is ‘unknown.' So, in reality, the number is much larger."

"But the significance of the number 100 million is that it is very large and it's growing rapidly. It shows just how leaky the data security boat is, for every kind of enterprise," she said. "We have a long way to go in this country before individuals can feel that their sensitive personal information is adequately protected."

Just Wednesday, the clearinghouse reported that a laptop belonging to a Boeing employee, and containing the personal information of 382,000 current and former employees, was stolen from his or her car.

In between the ChoicePoint and Boeing incidents, victims have had their personal data exposed in a variety of ways, including lost or misplaced storage devices and laptops, errantly delivered emails, accidental website posts and hacked servers and databases.

Among the most egregious were Bank of America lost back-up tapes of 1.2 million records, the hacking of 40 million credit card processor CardSystems, a dishonest American Red Cross blood donor recruiter with access to one million Social Security numbers and the U.S. Department of Veterans Affairs stolen laptop exposing 28.6 million records.

The breaches sometimes bordered on the bizarre. In July the New York City Department of Homeless Services reported that the personal information of 8,400 homeless people was leaked in an email attachment accidentally emailed to homeless advocates and city officials.

In January, as many as 240,000 subscribers to The Boston Globe and Worcester (Mass.) Telegram & Gazette received bad news on their doorsteps after their credit card numbers mistakenly were printed on the back of routing slips attached to newspaper bundles.

Nine months later, a Florida woman discovered her marriage license, containing her Social Security number, was publicly viewable on the Orange County website. She learned of the mistake after someone applied for a loan in her name.

Meanwhile, colleges and universities were popular hacking victims. In a two month stretch in the summer of 2005, 16 colleges reported they had been hacked. And just this week, one of the largest breaches to affect a university was reported when the University of California, Los Angeles alerted 800,000 people that their personal information may have been compromised in a database hack. Those notified included current and former students, faculty and staff, applicants and parents of students or applicants who applied for financial aid.

Newman suggests organisations focus on tightening access controls on employees, documenting their most sensitive data, building a layered defense and believing in their security.

"We must make 2007 the year of inside-out security, starting with the ultimate target of exposure, the database and working our way out in a layered defense," he said.

Paul Kurtz, executive director of the CSIA, told SCMagazine.com that the significant number should spur Congress into action.

"What strikes me is that you have nearly a third of the U.S. population [with data at risk]. When you walk down the street, every third person, their information is going to be at risk, and that person cannot be sure if there is someone out there trying to misuse that information," he said.

"That should be a real cause of concern. The issue here is not draconian; it is fairly straightforward, and that is establishing a single standard (for data breach notification)."

Click here to email Dan Kaplan.

Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?