The total number of breaches on the Identity Theft Resource Center’s 2008 breach list has surpassed the final total of 446 reported in 2007 — more than four months before the end of 2008. As of 9:30 a.m. August 22nd, the number of confirmed data breaches in 2008 stood at 449. The actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events. In the last few months, two subcontractors became examples of these “multiple” events. In one case, the customers and/or employees of at least 20 entities were affected by a breach that the ITRC reported as a single breach event.
ITRC recognizes that 449 breaches in less than a year is a small number when compared to the total number of business, governmental, health, banking and educational entities that have databases. However, for the individuals whose information has been exposed, 449 data exposure events are still too many. It should be noted that the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work.
Linda Foley, ITRC Founder, attributes part of the growth of the ITRC’s breach list to the ability to access state Attorney General notification lists which contain breaches that were not reported via media or other sources. Foley commented:
If more states would publish breach notification lists, there would be more information to study and to help us understand this growing concern. At this time, only three states publish such information. Additionally, more companies are starting to audit their security and network systems and use readily available security measures. This pro-active approach means that breaches are being identified that might otherwise have gone undetected.
The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies. ITRC uses several websites to help search for verifiable breaches, such as pogowasright.org, phiprivacy.net, The Breach Blog and attrition.org. To qualify breaches must include personal identifying information that could lead to identity theft, especially the loss of Social Security numbers.