ITRC Breach List Reaches All-Time High! : At the End of the 3rd Quarter of 2008, ITRC Reports 516 Breaches

Share Article

The Identity Theft Resource Center® (ITRC) data breach count has reached an all-time high. Between January 1st and September 30th 2008, the total number of data breaches recorded by the ITRC was 516, averaging 57 breaches a month. In 2007, the final total was 446 breaches. If this trend continues, it is conceivable that the total could exceed 650 data breaches for 2008. The actual number of breaches is likely higher, due to underreporting and the fact that some of the subcontractor breaches reported, which affect multiple businesses, are listed as a single event. For example, in two cases which affected multiple businesses, companies are still reporting additional data exposures with the final total yet to be determined.

1. The ITRC breach report sub-divides and tracks all breaches into five categories. The following is a comparison of 2008 (as of Sept 30th) with annual totals from 2007 and 2006.

  • Business:   2008 - 36.4%

    2007 - 28.9%

    2006 - 21%

  • Educational: 2008 - 21.3%

2007 - 24.8%

2006 - 28%

  • Government/Military: 2008 - 15.7%

2007 - 24.6%

2006 - 30%

  • Health/Medical: 2008 - 15.1%

2007 - 14.6%

2006 - 13%

  • Banking, financial, credit: 2008 - 11.4%

2007 - 7%

2006 - 8%

  2. In 2008, ITRC's current report reveals that 58.2% of breach events published the number of records involved, and that 41.9% of those having data exposures did not disclose the number of records potentially exposed. This means it is difficult to draw conclusions from the number of records exposed since we don't know the number of records involved in almost 42% of the breaches.

3. To date, electronic data breaches account for 81.2% of breach events, and paper breaches are 18.8%.

4. ITRC further categorizes data into five types of data breach scenarios. Some breaches, due to their nature, may be counted in more than one category, and some may not fit into any of these categories. These categories help ITRC study the causes of breaches, the main purpose of the breach list. These five categories are not as comprehensive as we might wish since many media resources, involved companies, and breach notification letters are ambiguous as to the cause of the event.

Insider theft and hacking combined indicate that about 30% of breaches are the result of malicious attacks, not counting other unauthorized access.

Poor information handling practices are reflected in data on the move and accidental exposure, accounting for 34.4% of the data breaches listed. It is clear that entities must establish precise information handling policies, train personnel on the importance for the policies, and limit the data that is transported from one location to the other. Data on the move has accounted for the largest number of breaches both in 2007 and 2008.

  • Insider Theft (stolen by someone inside the company):

    2008 - 16.5%     2007 - 6.0% - Data on the Move (laptop, thumb drive, PDA, etc.): 2008 - 20.3% 2007 - 27.8% - Subcontractor (stolen or lost by a second party): 2008 - 9.7% 2007 - 11.4% - Hacking (stolen by someone outside of the company): 2008 - 13.4% 2007 - 14.1% - Accidental Exposure (inadvertent Internet/Web posting): 2008 - 14.1% 2007 - 20.2%   The ITRC strongly advises all agencies and companies to:

  • Minimize personnel with access to personal identifying information - Limit the number of people who may take it out of the workplace - Execute secure methods for transport and storage of personal data - Encrypt personal information whenever possible  

As of the beginning of Q4 2008, there have been roughly 30 million records exposed. Due to the fact that 42% of the breaches reported an unknown or undisclosed number of records exposed, considering the record count for analysis is statistically unsound.

About the ITRC

The Identity Theft Resource Center® (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Additionally, ITRC has a complete breach response program to help businesses prepare for a breach, or respond to a data exposure event. Visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Linda Foley
Visit website