There are hundreds of ways that a consumer's personal information may be lost, stolen or exposed. An employee may lose a laptop, hackers may download credit card numbers or sensitive personal data may be accidentally exposed online.
Privacy Rights Clearinghouse's Chronology of Data Breaches list counts the number of records leaked that contain information useful to identity thieves, such as Social Security numbers, financial account numbers, driver's license numbers –- and in some states, medical information.
2011 was a significant year for data security breaches. PRC tracked 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to 543 million.
"This is a conservative number," says PRC Director Beth Givens. "We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our Chronology is only a sampling."
Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and an email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.
Unfortunately, it is virtually impossible for individuals to protect themselves from a data breach. It is up to organizations that collect data on consumers to take the steps to ensure the privacy and security of the data they collect and maintain.
The following half dozen are PRC's top picks for the most significant data breaches in 2011:
1. Sony PlayStation (April 27) –- Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.
The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes. Many websites that store your personal information require just a user name and password for protection. Password-protected websites are becoming more vulnerable because often people use the same passwords on numerous sites.
2. Epsilon (April 2) -– Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.
