Break’s over: after decline in 2009, breach reports appear to rise in 2010
The Verizon breach analysis report released this past week reported declines in 2009 in both the number of records compromised and the number of breaches Verizon was asked to investigate. Their reported decline in number of breaches has some confirmation in reports from the Privacy Rights Clearinghouse and the Identity Theft Resource Center, who had also noted declines in number of reported breaches in 2009. But where Verizon’s report suggests that the number of records compromised in 2009 declined from 2008 levels, both PRC and ITRC had reported significant increases in their records measures that year. Without knowing more about specific cases included in the Verizon-USSS data set, it is impossible for me to fully account for the discrepancy. But keeping in mind that Verizon-USSS are usually dealing with compromised records and not just exposed records, the National Archives Records Administration incident exposing 76,000,000 records that was included in the PRC and ITRC figures might be the source of much of the discrepant findings.
But was 2009 just an anomaly? Here’s how I see 2010 shaping up:
More Breach Reports
- The Privacy Rights Clearinghouse (PRC) shows that for 2010 to date, they have already recorded 328 breaches. For all of 2009, they had reported 252 incidents. This year, PRC started using DataBreaches.net and PHIprivacy.net to fuel their chronology. Adding those two resources seems to have significantly increased their number of reported incidents. Whether the additional resources plus the new HHS resource explains all of the increase, however, is doubtful.
- Similarly, the Identity Theft Resource Center (ITRC), which was already using DataBreaches.net and PHIprivacy.net, reports 385 incidents for 2010 to date, compared to 498 breaches for all of 2009. At least some of the apparent increase may be due to the new U.S. Department of Health & Human Services resource, but:
Based on the year-to-date figures and the fact that we are as yet missing reports from one of our regular primary sources (Maryland), it does appear that the number of incidents disclosed will be significantly higher for 2010 than for 2009 and is likely to surpass 2008, a year in which ITRC recorded 656 incidents.
Fewer Records Exposed
Although the number of breach reports being disclosed appears to be increasing this year compared to last year and previous years, the number of records involved seems to have declined significantly from 2009. PRC reports 12,797,957 records exposed so far in 2010 for those breaches for which they have numbers, while ITRC reports 13,067,157 records exposed to date for 2010. At this rate, and barring any “monster” breach disclosures during the remainder of this year, the total number of records exposed for 2010 may not only be significantly less than what PRC and ITRC reported in 2009, but may also be less than what was reported in 2008.