Personal
information leaks reached unprecedented levels last year, according to a variety
of studies. They also became popular news stories, with reports of lost
personal data being reported what seem like every other week.
So how is
personal data lost by organisations? Cases last year included insecure systems,
missing (and often unencrypted) discs and lost laptops. It is often the case
that organisations are often reluctant to invest in encryption and information
security management systems until they've hit a problem.
The Identity Theft Resource Center reckons more than 79m records
were exposed in the US in 2007. The figures represent a 400% increase on the
organisation's estimate of 20m lost records in 2006. Also, Attrition.org estimates that around 162m customer records were
compromised worldwide in 2007, compared to 49m lost records in 2006. Increased
reporting of breaches as well as greater volumes of data are some of the
factors accounting for the rise.
There were
many high profile cases of information security breaches in 2007, including the
well-reported TJX case, where the information from some
45m payment cards were stolen by hackers. In the UK, other high profile cases
include the Nationwide Building society, where the theft of an employee's
laptop potentially exposed customer details, the UK government's HMRC lost 25m child benefit records on 2 unencrypted CDs and the DVLA lost the details 3m driving theory test candidates, which went missing
in the mail.