TJX Breach, Physical Security Lapses Led Data Loss in 2007

By Elizabeth Bennett Print this article Print

The number of people whose personal information was lost, stolen or inadvertently exposed has tripled since last year, according to the non-profit Attrition.org.

2007 was a sub-prime year in data security.

Despite an increased focus on information security across the public and private sectors, the number of people whose personal information was lost, stolen or inadvertently exposed has tripled since last year, according to Attrition.org, a non-profit group that tracks data that has been lost, stolen or compromised in the U.S. and abroad.

Since January, there have been 313 reported incidents of compromised personal information affecting nearly 162 million individuals, largely in the U.S. By contrast, there were 346 reported incidents in 2006 that affected roughly 50 million people.

Personal information is characterized as a record that includes name, address and other sensitive data, such as Social Security number, credit card number or medical history.

One-third of the breaches occurred in corporate or non-profit organizations. The remaining incidents occurred at educational institutions (27 percent), government agencies (27 percent) and medical establishments (13 percent).

Here is a breakdown of the data compromises so far this year:

Electronic hacking was the source of the greatest number of compromised records this year, with 101 million records exposed as a result of 46 incidents.

Lost, stolen or missing equipment or documents were the source of 127 incidents affecting 38 million personal records. Data went missing on portable media including laptops, desktops, flash drives, backup storage discs, CDs and paper files.

Inadvertent or intentional publishing of personal information on Web sites or by paper mail accounted for 2.8 million records compromised from 52 reported incidents.

Fraud and inadequate disposal of documents, disk drives and computers accounted for most of the remaining incidents.

While electronic hacking was the method that compromised the greatest number of records this year, 94 million of those 101 million records were breached within a single organization—when customer credit-card numbers and transaction details were jeopardized in the largest data heist in history at TJX Companies in January.

TJX debacle aside, physical security breaches actually accounted for the bulk of data losses, according to Attrition.org's data, which is based on publicly available information.

That finding was not a surprise to Jon Oltsik, a security analyst at Milford, Mass.-based Enterprise Strategy Group. "Most firms don't have acceptable use and privacy policies that extend to portable media like flash drives and iPods," Oltsik says. And while strong policies and controls are needed, he says companies often have no way of monitoring or enforcing them.

Strong policies might include automatic encryption when data is saved to a flash drive, or strict management when it comes to which employees are allowed to save personal data to a laptop or other device. For instance, each time a payroll manager or human resources worker downloads employee information to a portable device, a security officer should be alerted.

A key ingredient often lacking in corporate security, according to Oltsik, is the integration of electronic and physical security. An example of how the lack of integration is hurting companies is when a security guard is completely unaware that a two-gigabyte flash drive could easily contain valuable or private data.

Home Depot is one of the 102 businesses that experienced a data loss this year when someone stole a laptop containing the personal information of roughly 10,000 employees from a worker's home in October. While Home Depot would not discuss its proprietary security measures, Sarah Molinari, a company spokesperson, said the company "regularly reviews its procedures and benchmarks against industry standards to ensure we have the appropriate systems in place to deter and mitigate fraud."

Prior to the theft, Molinari said Home Depot was working to record serial numbers for issued laptops to improve the chances of recovering lost or stolen laptops. Since the October incident, the company has reiterated its security procedures to workers, including not leaving portable media in vehicles and removing unnecessary data from laptops.

This article was originally published on 2007-12-12
Senior Writer
Elizabeth has been writing and reporting at Baselinesince its inaugural issue. Most recently, Liz helped Fortune 500 companies with their online strategies as a customer experience analyst at Creative Good. Prior to that, she worked in the organization practice at McKinsey & Co. She holds a B.A. from Vassar College.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.