The nonprofit Identity Theft Resource Center (ITRC) reports that while online breaches get a lot of attention in the media and in the security industry, a great deal of personal data is being lost through the theft of paper, often in dumpster diving, as thieves get social security numbers and other valuable information from the garbage cans of medical institutions, banks, and other businesses.
As of June 15, 2009, the ITRC was aware of 250 breaches in which 12,235,848 records were exposed. Of those breaches, 64 were paper-based, representing 25.6 percent of breaches tracked by ITRC and 0.5 percent of records exposed.
The low number of records exposed in paper breaches may have more to do with the difficulty of tracing the damage than with the actual risk of paper breaches. Earlier this year, data breach researcher Larry Ponemon told InternetNews.com that organizations that don’t have backups of the data they’ve lost routinely underestimate the extent of the damage.
Furthermore, the ITRC reports that paper-based breaches are vastly underreported because laws designed to protect consumers ignore the paper threat. “In 44 states, and the District of Columbia, there are specific laws about security breaches. The laws require any company or agency in possession of Social Security numbers (SSN), financial account information and other sensitive information to follow procedures to protect that information,” the ITRC said in a statement.
“While all these law encompass the protection of electronic data, most have no mention of paper breaches. As of yet, no federal security breach bill addresses this problem. Unfortunately, more than 25 percent of the breaches year to date are paper breaches,” the ITRC added.
Often, thieves who cannot get to a server can simply go to the trash can.
“Paper breaches are often documents with personal information disposed in trash cans or dumpsters, left for the taking by those who didn’t take the time to shred them,” the ITRC said. “This raises the questions: ‘What were they thinking?’ and ‘Why don’t we have laws regarding paper breaches?'”
The ITRC is certain that its list is only a small portion of the actual number of breaches that occurred this year. “Having maintained a data breach list since 2005, the ITRC knows that this is just the tip of the iceberg, as many breaches are not made public,” said the ITRC.
The negligence factor
Paper breaches cited by the ITRC are often caused by negligence rather than malicious activity. The State of Maine sent unemployment benefits to the wrong address in 600 cases recently, exposing data including social security numbers. The state’s Department of Labor blamed an equipment malfunction.
In another case, a drug store paid damages this
month for filling a dumpster with medical records.
In contrast, prosecutors are often able to prove malicious intent in electronic breaches. In Colorado, a former strip club manager has been sentenced to 55 years in jail for stealing customer information. Malicious intent is also obvious when data is held hostage.
The ITRC did report one case of malicious dumpster diving. Police in Nashville, Tenn. tracked down someone named William Frelix who they allege was paying others to check hotel trash for credit card information, which he then stole. The police said that they have advised hotels to shred all paper containing credit card information. Police involved in the matter declined to name the hotels involved.