The book has closed on 2010, and with it comes word from the ITRC that 662 reported data breaches occurred during the year that came to an end this past weekend. Infosecurity notes that the number of true data breaches is likely higher, owing to the fact that not all breaches are required to be reported by law.
The ITRC took the opportunity to highlight the apparent lack of transparency regarding data breach reporting. “Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events”, IRTC said in a press release statement reflecting on the year-end numbers. “It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported.”
A couple of noteworthy lowlights from the report include breaches affecting two of the ‘Holy Grails’ of personal information: Social Security numbers and credit/debit card details. Sixty-two percent of the reported incidents involved the loss of Social Security data, or 76% of the known records. A further 26% of the breaches involved payment card information, or 29% of the reportedly compromised records.
ITRC’s analysis shows that 51% of publicly reported data breaches disclosed the total number of records compromised, coming in at 16.1 million records total. However, this means almost half of all reported data breaches failed to reveal the number of compromised records, a fact the ITRC claims is “another argument for mandatory reporting”.
The ITRC’s yearly data breach tally has experienced a bit of a yo-yo effect over the last few years: in 2009 it recorded 498 breaches, 657 in 2008, and 446 in 2007.
In its statement, the ITRC acknowledged that “breaches happen”, but that “the business community need to stop acting like ostriches with their heads in the sand”.
“Mandatory reporting is on the horizon”, the ITRC warned. “It will be demanded either by consumer lobbying or legislation”.