RealTime IT News

ID Theft Threat Grows With 1M Already Hit in '09

Data breaches and ID theft

Identity thefts soared in 2008, and now 2009 is shaping up to be another banner year for phishers, hackers and other ID thieves.

According to a new report from the Identity Theft Resource Center (ITRC), a nonprofit set up to support and educate consumers on identity theft, U.S. businesses and other organizations suffered 83 security breaches so far in 2009 -- potentially exposing the records of at least 1.1 million people.

That finding, released in a new report (available here in PDF format), signals that the pace of data breaches is only increasing. According to the ITRC, breaches struck 656 businesses, government agencies and other organizations last year, an increase of 47 percent over 2007.

And this year's number of victims could only grow, ITRC officials said.

In particular, the number of potential victims it recorded thus far in 2009 excludes those who might have been affected by the breach at one of the nation's largest payment processors, Heartland Payment Systems, where the total number of victims remains unknown, ITRC founder Linda Foley told InternetNews.com.

"We could be adding millions to our numbers when we find out," Foley said.

The grim statistics come as the latest sign that ID theft is on the rise. The problem topped the list of consumer complaints to the Federal Trade Commission (FTC) during 2008, the agency said in new data released last week. According to the FTC, ID theft accounted for 26 percent of the more than 1.2 million complaints it received last year. The FTC did respond to requests for further comment by press time.

The findings also point to the growing threat from increasingly sophisticated hackers and ID thieves, coupled with what experts have claimed is persistently poor data security polices or practices at many organizations.

In February, a study by the Ponemon Institute attributed 88 percent of 2008 data losses to internal mistakes.

ITRC's Foley added that that 42 percent of the organizations breached last year did not know how their records had been exposed. This year, the figure is almost 50 percent, she said.

Still, accidental exposure of data remains less costly than thefts. Ponemon also found that breaches by outsiders are on the rise and proving more costly to businesses, with per-victim costs rising $52 between 2007 and 2008, to $243.

Mounting losses

So far this year, the causes of the data losses range from careless disposal of old records to wide-scale data breaches, according to ITRC's report. In addition to Heartland, large organizations that suffered a breach include the University of Florida, health services provider Kaiser Permanente, the FAA.

Those trends are leading to some serious losses.

Dan Clements, president of ID theft protection and fraud prevention firm CardCops, told InternetNews.com that consumers reported fraud-related losses totaling more than $1.8 billion last year.

Clements said he believes the increase in fraud is tied to the economic downturn. For one thing, identity theft was highest in Arizona, California and Florida -- states among the hardest-hit in home foreclosures.

Closing the door on ID thefts

The high number of data breaches reported has led politicians to look for ways to solve the problem. In January, Sen. Dianne Feinstein (D-Calif.) introduced two new data breach and privacy bills in Congress. And in September, the U.S. House of Representatives passed Sen. Patrick Leahy's (D-Vt.) Identity Theft Enforcement and Restitution Act, which aims to make it easier for federal agencies to pursue cybercriminals and increases the penalties for convictions.

ITRC's Foley said the Payments Card Industry Council needs to update its standards to help prevent data breaches. While PCI certification is mandatory for retailers, security experts contend it is the lowest level of security for large organizations such as Heartland, which was breached despite being PCI certified in April.

She also called for educating people at all levels in organizations about security and for organizations to develop written policies on information handling, storage and destruction. "Everyone, from the CEO to the mailroom employee needs to be covered by these policies," she said.

"In 2008, there were slightly more breaches due to human error such as accidental exposure of data or loss of physical data devices or sources of data like laptops, than there were due to malicious attacks."

But to Affinion's Clements, the problem is not going to be solved anytime soon.

"We're seeing an increase in chatter in the underground, in IRC chat rooms," he said referring to Internet Relay Chat discussions among hackers and data thieves.

The fact that that data theft is easy to commit -- thanks to a proliferation in portable memory devices -- and difficult to prove makes matters worse, he added.

"The invention of the memory stick is a license to take data outside a corporation, and the force pulling data out of corporate America is cyberspace, which lets foreign identity thieves get stolen data that they are willing to pay for," he said.