Military and government agencies mistakenly exposed the personal data of thousands of citizens in at least 104 incidents in 2010, up from 90 such data breaches the previous year, according to a new study. Yet, far fewer personal records were released as a result -- 1.2 million in 2010, well under the 79.4 million exposed in 2009.
The study by the nonprofit Identify Theft Resource Center found that there were 662 breaches reported nationwide in 2010. The center defines a breach as an event in which an individual's name and other identifying information, such as a Social Security or driver's license number, banking or medical data, are put at risk in electronic or paper format.
Of the 622 total breaches reported in 2010, 15.7 percent involved data handled by state and federal agencies and the military. Sixty-two percent of all breaches resulted in the exposure of Social Security numbers. One of the biggest breaches involved the exposure of 207,000 records of Army Reservists in Colorado.
Businesses accounted for the largest percentage of data breaches -- 42.1 percent. Medical and health care facilities accounted for 24.2 percent, followed by educational institutions at 9.8 percent and the banking industry at 8.2 percent.
Because there is no centralized reporting system for the unintended exposure of personal records, the actual scope of the problem is likely much greater. "Other then breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events," ITRC said in a news release. "It is clear without a mandatory national reporting requirement that many data breaches will continue to be unreported, or underreported."
K. Selcuk Candan, a professor of computer science and engineering at Arizona State University in Tempe, said such a repository would help security analysts observe data breach patterns. "A site would . . . help identify hot spots in data breaches and help countermeasure development efforts that today have to proceed on a more or less case-by-case basis," he said in an e-mail to Nexgov in response to questions.
Technically, creating such a database would be relatively simple. "However, I am not sure if many institutions will be happy to report their breaches to a central repository," he said. "Contributors to the site may worry that this may negatively affect their reputations, while of course benefiting everybody, including their competitors."
Data breaches are becoming more frequent in the United State due to the increase in online transactions and social networks, combined with the lack of standards for security and privacy, Candan said. He believes many of the breaches reported actually were due to the fact that they included Social Security numbers, which are "very available and thus easy to steal." Since these events could lead to identity theft, it contributes to their potential for being reported more than other types.