Total Number Of Personal Data Records Leaked Since 2005: At Least 358.4 Million
from the lost-but-not-forgotten dept
The Privacy Rights Clearinghouse has put up a pretty interesting chronology of data breaches (via Guardianista) detailing leaks in the US since 2005 that resulted in the loss of people's personal info. They've totaled up the figure over the past five and a bit years, and it's a staggering 358.4 million records lost. Keep in mind that 358.4 million is just a minimum, since there are plenty of leaks that have lost an unknown number of records (like the one from a closed-down Hollywood Video store in Nevada, where customer records were thrown in a dumpster then scattered by the wind). Still, you may be thinking that you don't hear about record-breaking data breaches much these days, but that's not because they've stopped -- it's just that they happen so often, they're really not all that newsworthy any more. A lot of lip service gets paid to clamping down on fraud, but it really doesn't seem like much goes on to stop data leaks, since the penalties for the leaks are toothless and are cheaper than any real prevention.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breaches, personal data
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wait...
Aren't there only slightly over 300 million people in the US right now?
I wonder how many people that would mean have had their data leaked on multiple occasions....
Poor guys.
[ link to this | view in chronology ]
Re: Wait...
[ link to this | view in chronology ]
Re: Wait...
A single data record leak could be as simple as name and e-mail. Given the number of relationships that consumers have online, 350 million breaches could be on the order of only 1 out of 100 data records.
[ link to this | view in chronology ]
But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.
Got it.
[ link to this | view in chronology ]
Re:
"So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it..."
Yes - but this is personal details, not music... there is a difference - apples and oranges my friend.
"We should also never hold people accountable for the actions of others."
I agree - surprising to hear you support this for a change!
"But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers."
Hmmm... you do recognise they are employed to protect the data.. and/or regulated to do so. They are punished for failing to meet their own responsabilities/accountabilities (or at least for not making a creditable effort to do so).
[ link to this | view in chronology ]
Re: Re:
Both are infinite goods with nonzero value.
Hmmm... you do recognise they are employed to protect the data.. and/or regulated to do so.
So my neighbor asks me to hold on to his chainsaw for a couple days and I put it in my garage, which is locked with ordinary locks. During the night, a burglar comes, picks the locks, and steals the chainsaw. That's my fault?
You want to make website owners the police, now? Checking every single access to their site to see if it MIGHT be malicious? These sites get THOUSANDS of hits a day. Can you imagine how innovation would be impeded if you made someone go through each and every bit going to and from their server to see if it's something nefarious?
[ link to this | view in chronology ]
Re: Re: Re:
With the chainsaw... not. Provided you took reasonable steps (had decent quality locks) and perhaps insurance.... does anyone get paid if their private data is stolen???
Never did I say that. They must keep privite data securely. If breached they must report it. Nice strawman.
If they dont use protection/security, dont report a breach they are liably at law. They are responsible to take reasonable steps to protect the data... if you borrow a chainsaw you are responsible to guard it or replace the loss.
My point is not to pick statement by statement... but to point out your point was conflating two non-related situations. Feel free to correct my point... even point by point :)
[ link to this | view in chronology ]
Re: Re: Re:
One of the largest leaks (TJX) failed to use ordinary security measures (locks).
Analogy fail
[ link to this | view in chronology ]
Re:
Uh, no. That's not the "traditional argument" around here at all. Not sure where you read that, but it was not this site.
We should also never hold people accountable for the actions of others.
Indeed.
But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.
No. Reading comprehension fail. In this case, we're talking about companies who have a legal responsibility to protect information, who are not living up to that responsibility. Thus, the legal liability falls on them reasonably.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The largest unreported one...
That article was the proverbial shit hitting the fan, causing me to pull all my online accounts back and wipe all data online, switch from MS to Linux and encrupt every HDD I ever use. Paranoid much? Essentially I don't trust a router my information passes through, so damned if I'll ever use an account ever again.
[ link to this | view in chronology ]
Re: The largest unreported one...
[ link to this | view in chronology ]
Re: Re: The largest unreported one...
[ link to this | view in chronology ]
Perhaps you haven't heard of the new Massachusetts law -- it's a lot of things (the word misguided comes to mind) but certainly not toothless!
[ link to this | view in chronology ]
The problem
1. Lock everyone's credit access until owner has given permission. The permission would be a 2-factor authenication system such as an RSA crypto key and/or a password. (Good luck Grandma!) Yeah education will be required.
2. Don't tie Social Security Number to anything but putting money away for Social Security. i.e. banks, IRS cannot use it, other than when people are retiring (access) and when they are hired/fired (read only.)
3. No exceptions. If you allow exceptions you allow breach capability. Sadly, this brings into play a "national ID card" which everyone would freak out about anyway.
This would cause massive upheaval in so many financial systems, that it would be very costly, which is why nothing is being done.
So insecure we shall all remain.
[ link to this | view in chronology ]
privacy violation
Another analogy is to the use of ATMs. Some bright person in the banking industry thought it would be a good idea to stock machines with a bunch of money and put them in all kinds of sketchy locations, 24/7. When the crime of robbing people when they took out money became popular, banks blamed the victim. Be more careful, don't use ATMs in bad neighborhoods. Somehow they figured out that they had liability so they improved the lighting and cut the shrubbery around ATMs, and most importantly added video cameras. By taking seriously their responsibility for security around ATMs they eliminated the negative externality of those robberies. Making data theft unattractive at the source via heavy fines, would lead those who traffic in personal information to find creative solutions to the problem of data theft.
[ link to this | view in chronology ]