Last year, the U.S. experienced a heavy number of data breaches, of which more than 619 were reported and more than 57 million records exposed, according to the Identity Theft Resource Center, which has already collected 49 reported breaches so far in 2014.
You have probably heard of the big ones – Adobe, LinkedIn, Facebook, Target and Snapchat – thanks to what Karen Barney, program director and coordinator of the ITRC Data Breach Report, the “media frenzy,” for lack of a better term.
However, while many data breaches were listed on ITRC’s list for 2013, there are some that, while reported, didn’t get the kind of media attention as some of the others.
For example, six companies reported data breaches the same day that Target announced theirs in December. Affinity Gaming in Nevada was one of them, reporting 280,000 records were breached from casinos where customer used credit or debit cards within its facility between March 14 and October 16.
“If you look at the information, there are a large number of breaches in the media that don’t even tell us what happened, or if they do, give a minimum amount,” Barney said. “It could be insider theft or third-party. However, hacking continues to be the No. 1 way these breaches are happening.”
Sometimes Social Security numbers have been exposed or credit card numbers accidentally show up on a server and someone does a random searches. ITRC’s report showed 7.6 percent of the breaches in 2013 were the result of accidental exposure.
In addition, it remains difficult to know what kind of information or records were compromised because over the past seven years, 47 percent of breaches did not include the number of records exposed, the report stated.
Meanwhile, four companies reported breaches at the same time that Horizon Blue Cross Blue Shield New Jersey reported its breach of over 800,000 records. They included Capital One and HSBC banks as well as B&G Foods North America, which operates the Maple Grove Farms brand. None of them reported the number of breaches.
In October, on the same day Adobe Systems reported 2.9 million customers were affected by its breach, St. Mary’s Janesville Hospital also reported some 600 records were compromised when a laptop was stolen from a car.
There will typically be more medical exposures reported because of a government law that states medical organizations have to report any breach when more than 500 records are compromised.
Sam Imandoust, legal analyst with ITRC, said identity theft has been getting attention since the late 1990s, and it all started off with credit card numbers. But what criminals are realizing is the punishment is as bad as going into grocery store and stealing $400, he added.
“You can now pay a nurse $10,000 for some medical records and either sell them or try and benefit from the accounts yourself,” he said. “It has turned into organized crime for this and they are getting better.”
In the aftermath of the more than 600 breaches, Imandoust thinks data breach laws are really a patchwork, with each state having its own laws. As a result of over 40 million hit by the Target breach, he expects the industry to start begging the federal government to create an all-encompassing data breach law so companies affected will only have to follow one law rather than going over all of the state laws to comply.