Data Exposure Stats Exposed

When I picked the top three privacy/security stories of 2007, the annual toll of privacy breaches was not included. My intention was not to belittle the ongoing plague of personal data exposures. However, this is a plague in progress and in that sense it is not new, thus arguably less newsworthy than some other developments.

That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.

Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.

Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.

Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.

When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.