Compliance Management, Privacy

A dubious milestone – Privacy Rights Clearinghouse reports exposed record No. 100 million


Two months after the U.S. population reached 300 million people, the nation realized a more troubling statistical milestone when the Privacy Rights Clearinghouse today reported that more than 100 million records have been exposed since the ChoicePoint data breach.

That means roughly one in three Americans has been exposed to the risk of identity theft since the Alpharetta, Ga.-based data broker revealed thieves gained illegal access to 163,000 customer records in February 2005.

"The end of 2006 greets us with the cold, hard fact that at this level of exposure, we're playing with fire," said Application Security's CTO Aaron Newman. "With each breach, massive and widespread identity theft is headed toward epidemic proportions."

The actual number of breaches is higher than 100 million, according to Beth Givens, founder and director of the PRC, who told today that "for most of the breaches we report, the number is ‘unknown.' So, in reality, the number is much larger."

"But the significance of the number 100 million is that it is very large and it's growing rapidly. It shows just how leaky the data security boat is - for every kind of enterprise," she said. "We have a long way to go in this country before individuals can feel that their sensitive personal information is adequately protected."

Just Wednesday, the clearinghouse reported that a laptop belonging to a Boeing employee, and containing the personal information of 382,000 current and former employees, was stolen from his or her car.

In between the ChoicePoint and Boeing incidents, victims have had their personal data exposed in a variety of ways, including lost or misplaced storage devices and laptops, errantly delivered emails, accidental website posts and hacked servers and databases.

Among the most egregious were Bank of America lost backup tapes (1.2 million records), the hacking of credit card processor CardSystems (40 million), a dishonest American Red Cross blood donor recruiter with access to Social Security numbers (one million) and the U.S. Department of Veterans Affairs stolen laptop (28.6 million).

The breaches sometimes bordered on the bizarre. In July, the New York City Department of Homeless Services reported that the personal information of 8,400 homeless people was leaked in an email attachment accidentally emailed to homeless advocates and city officials.

In January, as many as 240,000 subscribers to The Boston Globe and Worcester (Mass.) Telegram & Gazette received bad news on their doorsteps after their credit card numbers mistakenly were printed on the back of routing slips attached to newspaper bundles.

Nine months later, a Florida woman discovered her marriage license, containing her Social Security number, was publicly viewable on the Orange County website. She learned of the mistake after someone applied for a loan in her name.

Meanwhile, colleges and universities were popular hacking victims. In a two month stretch in the summer of 2005, 16 colleges reported they had been hacked. And just this week, one of the largest breaches to affect a university was reported when the University of California, Los Angeles alerted 800,000 people that their personal information may have been compromised in a database hack. Those notified included current and former students, faculty and staff, applicants and parents of students or applicants who applied for financial aid.

Phil Neray, vice president of marketing at data security firm Guardium, says colleges store large amounts of sensitive information, including financial data, while having fewer resources to protect that property.

"That combination makes them particularly vulnerable," he told today. "Databases are incredibly complex pieces of software. They're complex and easier to penetrate."

Newman suggests organizations focus on tightening access controls on employees, documenting their most sensitive data, building a layered defense and believing in their security.

"We must make 2007 the year of inside-out security, starting with the ultimate target of exposure, the database and working our way out in a layered defense," he said.

Paul Kurtz, executive director of the CSIA, told today that the significant number should spur Congress into action.

"What strikes me is that you have nearly a third of the U.S. population (with data at risk). When you walk down the street, every third person, their information is going to be at risk, and that person cannot be sure if there is someone out there trying to misuse that information," he said. "That should be a real cause of concern. The issue here is not draconian; it is fairly straightforward, and that is establishing a single standard (for data breach notification)."

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.