In fact, 2006 is shaping up to be one of the worst years of all time for data loss and theft. According to the Privacy Clearinghouse, at the halfway point this year we have seen more than 35 million personal identifying records lost — putting the U.S. on pace to see more than 70 million personal records lost by year's end.
So what gives? If businesses are supposedly getting better and security technology is improving why are the newspapers full of so many reports of data losses and breaches?
Part of the increase may simply be attributable to the fact that enterprises are more accountable when they lose records. With so many disclosure laws now in place, it is understandable that we are hearing about more losses today than a year ago.
"There's much more in the way of notification," says Terrence DeFranco, chief executive officer of Bethlehem, Penn.-based Edentify. "Now whenever there's a breach, the first thing anybody does is come out and say there's a breach. That's a good thing. One of the strongest ways of stopping identity fraud is education, and education comes in the form of knowledge. Knowing that your name is included in some database that has been breached, that's the first step to prevention."
But disclosure is only one factor in this year's record-breaking number of incidents. Most security experts agree that both data loss and subsequent fraud is more rampant than ever. They lay the blame on criminals who have changed their attacking mentalities over the years as they've discovered the monetary benefits of running organized identity fraud enterprises.
"A few years ago, hackers and thieves were going after the equipment or after a denial-of-service attack. They were trying to interrupt industry," says Warren Smith, vice president of marketing at San Francisco-based GuardianEdge. "Today they're going after consumer information, so the focus of the threat has shifted dramatically."
As this shift has occurred, fraudsters are becoming more methodical and more efficient with their thievery. The end result is a huge uptick in lost records and incidences of fraud.
"That's classic of any industry that becomes organized," says Peter Relan, chairman and chief executive officer of Redwood City, Calif.-based Business Signatures. "It's like moving from a cottage industry to full blown factories. It's business. It is a multi-billion dollar a year industry and it has no boundaries."
Relan explains that identity fraud is broken up into three distinct phases. The first stage is the actual theft of the identity, be it through the acquisition of personal identifying information or login information. The second step is the scoping of accounts to ensure the identity is valid and ripe for a ripoff. And the third is the actual act of fraud.
"These people are gunning for a full-blown supply chain," he says. "And that's why you hear about the large scale theft now, because these guys are stealing millions of records at a time. It's not because there's more or less going on, it's just that it is going on at a large scale by organized criminals," he says.
What are we doing to improve?
While the criminals have certainly gotten better at what they do, it ultimately is the security community's job to catch up. Consumers don't want to hear about why things are getting worse — they want to know how it is going to get better. Most feel that businesses are just not doing enough to protect their customers.
According to a nationwide survey done by the Cyber Security Industry Alliance (CSIA), 94 percent of those polled said identity theft is a serious problem. Of those, only 24 percent thought that businesses were doing enough to protect sensitive information.
Like most in the security vendor community, DeFranco believes that there is more that businesses can do to protect against both data loss and fraud. As a company that helps financials protect themselves and their customers from fraud, DeFranco sees many sales slip away when financial firms would rather just assume the risk of fraud rather than invest in prevention measures.
While there is some light at the end of the tunnel — the average loss per person affected by fraud is going down — DeFranco believes that it will take more concern on the part of business to improve the climate.
In fact, he wonders whether it will take more systemic change within the business world to truly make a dent in the upward trajectory of fraud incidents. Above all, businesses must change the way they share personal data with little regard to consumers' wishes.
"Very simply put, an opt-in versus opt-out [stance] is the first step. I wouldn't want my information shared with anyone without my prior approval," he says. "We don't have any control over our identity once we give it out to someone. Nothing says that you gain control in an opt-in, but at least there's someone accountable if I do get hurt."
2006 GREATEST HITS:
Sample of breaches
January 31, 2006
Boston Globe and The Worcester Telegram & Gazette
Inadvertently exposed credit and debit card information, along with routing information for personal checks, printed on recycled paper used in wrapping newspaper bundles for distribution.
240,000 potentially exposed
February 13, 2006
Ernst & Young (U.K.)
Laptop stolen from employee's car with customers' personal information, including Social Security numbers.
38,000 BP employees in addition to Sun, Cisco and IBM employees
March 2, 2006
Los Angeles County Department of Social Services (Los Angeles, Calif.)
File boxes containing names, dependents, Social Security numbers, telephone numbers, medical information, employer, W-2, and date of birth were left unattended and unshredded.
Potentially 2,000,000, but number unknown
April 24, 2006
Ohio University (Athens, Ohio)
Hackers accessed a computer system of the school's alumni relations department that included biographical information and 137,000 Social Security numbers of alumni.
May 22, 2006
U.S. Department of Veterans Affairs (Washington, D.C.)
On May 3, a laptop was stolen from the home of a VA employee, which contained data of all American veterans who were discharged since 1975, including names, Social Security numbers, dates of birth and, in many cases, phone numbers and addresses. The computer was later recovered, but not before the resignation of a deputy assistant secretary and a class action lawsuit.
June 21, 2006
U.S. Dept. of Agriculture (USDA) (Washington, D.C.)
During the first week in June, a hacker broke into the Department's computer system and may have obtained names, Social Security numbers and photos of current and former employees and contractors.