Analysis of 2005 Data Breaches

In the recent analysis of public information on 70 breaches, the most interesting findings included:

• The largest volume of data breach incidents occurred in the education sector (46 percent)
• Fifty-seven percent of the identities breached were in the financial services sector
• Almost 70 percent of the breached occurrences were because someone targeted the organization through hacking or some other method to steal information about consumers
• Of the publicly-reported data breaches during the study period, 77 percent were "identity-level," meaning personal identifiers such as names and Social Security numbers were breached
• The majority of the identity-level breaches, 38 out of 54, were intentional, meaning the breach appeared to be the result of a deliberate theft of identity information from an electronic database

"This high proportion of identity-level breaches suggests that criminals know exactly what they are targeting since identity-level information is most profitable for committing identity theft," said Mike Cook, ID Analytics' co-founder and vice president of product. "Based on the analysis, we believe that fraudsters determined to steal identity information to perpetrate their crimes are systematic and deliberate in their attempts."

However, not all of the breaches in the study were intentional. For the purposes of the analysis, ID Analytics excluded the June 2005 breach of 40 million account numbers from CardSystems due to its large size. Excluding this breach, more than half (58 percent) of the breached identities in the study were actually lost, seemingly through human error, rather than because someone targeted the organization to steal the information.

As part of this study, ID Analytics also analyzed the potential costs of these data breaches by estimating such losses as operational costs, consumer notification, card re-issuance, credit monitoring services and anticipated fraud losses. The analysis showed that during the period of the study approximately $210 million were lost by the affected organizations as a result of these breaches.

"Breaches differ, and the risk to consumers and organizations varies considerably based on the type and scope of the data breach," said Bruce Hansen, chairman and CEO of ID Analytics. "What's really most important for both consumers and breached businesses is assessing the degree of risk for a given breach in order to determine the best next steps to protecting consumers, protecting the organization, and stemming financial and reputational losses."