Total Number Of Personal Data Records Leaked Since 2005: At Least 358.4 Million

from the lost-but-not-forgotten dept

Mon, Apr 26th 2010 8:35pm — Carlo Longino

The Privacy Rights Clearinghouse has put up a pretty interesting chronology of data breaches (via Guardianista) detailing leaks in the US since 2005 that resulted in the loss of people's personal info. They've totaled up the figure over the past five and a bit years, and it's a staggering 358.4 million records lost. Keep in mind that 358.4 million is just a minimum, since there are plenty of leaks that have lost an unknown number of records (like the one from a closed-down Hollywood Video store in Nevada, where customer records were thrown in a dumpster then scattered by the wind). Still, you may be thinking that you don't hear about record-breaking data breaches much these days, but that's not because they've stopped -- it's just that they happen so often, they're really not all that newsworthy any more. A lot of lip service gets paid to clamping down on fraud, but it really doesn't seem like much goes on to stop data leaks, since the penalties for the leaks are toothless and are cheaper than any real prevention.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breaches, personal data

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Tyler (profile), 26 Apr 2010 @ 8:50pm

Wait...
358.4 million? Really?
Aren't there only slightly over 300 million people in the US right now?

I wonder how many people that would mean have had their data leaked on multiple occasions....

Poor guys.
[ link to this | view in chronology ]
- Bob, 27 Apr 2010 @ 9:29am
  
  Re: Wait...
  Or it could be only one person, whose data was leaked 358.4 million times.
  [ link to this | view in chronology ]
- Tahoe Blue, 27 Apr 2010 @ 10:52am
  
  Re: Wait...
  The 358 million number was for personal data records, not people. How many different services, utilities, institutions, companies, organizations and websites does the average consumer sign up with ? Anywhere from 20-100, wouldn't you say ?
  
  A single data record leak could be as simple as name and e-mail. Given the number of relationships that consumers have online, 350 million breaches could be on the order of only 1 out of 100 data records.
  [ link to this | view in chronology ]
Anonymous Coward, 26 Apr 2010 @ 9:22pm

So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it - and as such, we should just stop trying. We should also never hold people accountable for the actions of others.

But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.

Got it.
[ link to this | view in chronology ]
- MadderMak (profile), 26 Apr 2010 @ 10:54pm
  
  Re:
  Trollbait much?
  
  "So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it..."
  
  Yes - but this is personal details, not music... there is a difference - apples and oranges my friend.
  
  "We should also never hold people accountable for the actions of others."
  
  I agree - surprising to hear you support this for a change!
  
  "But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers."
  
  Hmmm... you do recognise they are employed to protect the data.. and/or regulated to do so. They are punished for failing to meet their own responsabilities/accountabilities (or at least for not making a creditable effort to do so).
  [ link to this | view in chronology ]
  - Anonymous Coward, 26 Apr 2010 @ 11:17pm
    
    Re: Re:
    Yes - but this is personal details, not music... there is a difference - apples and oranges my friend.
    
    Both are infinite goods with nonzero value.
    
    Hmmm... you do recognise they are employed to protect the data.. and/or regulated to do so.
    
    So my neighbor asks me to hold on to his chainsaw for a couple days and I put it in my garage, which is locked with ordinary locks. During the night, a burglar comes, picks the locks, and steals the chainsaw. That's my fault?
    
    You want to make website owners the police, now? Checking every single access to their site to see if it MIGHT be malicious? These sites get THOUSANDS of hits a day. Can you imagine how innovation would be impeded if you made someone go through each and every bit going to and from their server to see if it's something nefarious?
    [ link to this | view in chronology ]
    - MadderMak (profile), 26 Apr 2010 @ 11:35pm
      
      Re: Re: Re:
      But the one infinite good is legally required to be protected... the other one has optional legal protection. The one infinite good is directly related to identity... the other (optionally) to profit. Both are stored as a string of ones and zeros... they are still not the same.
      
      With the chainsaw... not. Provided you took reasonable steps (had decent quality locks) and perhaps insurance.... does anyone get paid if their private data is stolen???
      
      Never did I say that. They must keep privite data securely. If breached they must report it. Nice strawman.
      
      If they dont use protection/security, dont report a breach they are liably at law. They are responsible to take reasonable steps to protect the data... if you borrow a chainsaw you are responsible to guard it or replace the loss.
      
      My point is not to pick statement by statement... but to point out your point was conflating two non-related situations. Feel free to correct my point... even point by point :)
      [ link to this | view in chronology ]
    - Bad Analogy Guy, 27 Apr 2010 @ 5:09am
      
      Re: Re: Re:
      In your analogy, the neighbor used ordinary locks.
      One of the largest leaks (TJX) failed to use ordinary security measures (locks).
      
      Analogy fail
      [ link to this | view in chronology ]
- Mike Masnick (profile), 27 Apr 2010 @ 12:08am
  
  Re:
  So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it - and as such, we should just stop trying
  
  Uh, no. That's not the "traditional argument" around here at all. Not sure where you read that, but it was not this site.
  
  We should also never hold people accountable for the actions of others.
  
  Indeed.
  
  But when it comes to personal information, we want there to be liability for people who don't secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.
  
  No. Reading comprehension fail. In this case, we're talking about companies who have a legal responsibility to protect information, who are not living up to that responsibility. Thus, the legal liability falls on them reasonably.
  [ link to this | view in chronology ]
  - vyvyan, 27 Apr 2010 @ 12:22am
    
    Re: Re:
    He hasn't failed reading comprehension. He just bunked the exam.
    [ link to this | view in chronology ]
indy P, 26 Apr 2010 @ 10:18pm

The largest unreported one...
was Google getting rooted and two dozen companies refusing to tell us what/how they were breached
That article was the proverbial shit hitting the fan, causing me to pull all my online accounts back and wipe all data online, switch from MS to Linux and encrupt every HDD I ever use. Paranoid much? Essentially I don't trust a router my information passes through, so damned if I'll ever use an account ever again.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Apr 2010 @ 6:52am
  
  Re: The largest unreported one...
  wrap yourself in tin foil, make sure to remove all the wires from your house cover the windows, and never, ever go outside without a disguise. the secret black helicopters are following you.
  [ link to this | view in chronology ]
  - senshikaze (profile), 27 Apr 2010 @ 9:38am
    
    Re: Re: The largest unreported one...
    the ones who survive will be the paranoid ones.
    [ link to this | view in chronology ]
Dean Landolt, 27 Apr 2010 @ 10:04am

"...since the penalties for the leaks are toothless and are cheaper than any real prevention."

Perhaps you haven't heard of the new Massachusetts law -- it's a lot of things (the word misguided comes to mind) but certainly not toothless!
[ link to this | view in chronology ]
Anon Y, 27 Apr 2010 @ 10:56am

The problem
The problem stems from a 9-digital un-obfuscated number that is too powerful. A very simple solution to privacy violations would be the following:

1. Lock everyone's credit access until owner has given permission. The permission would be a 2-factor authenication system such as an RSA crypto key and/or a password. (Good luck Grandma!) Yeah education will be required.
2. Don't tie Social Security Number to anything but putting money away for Social Security. i.e. banks, IRS cannot use it, other than when people are retiring (access) and when they are hired/fired (read only.)
3. No exceptions. If you allow exceptions you allow breach capability. Sadly, this brings into play a "national ID card" which everyone would freak out about anyway.

This would cause massive upheaval in so many financial systems, that it would be very costly, which is why nothing is being done.

So insecure we shall all remain.
[ link to this | view in chronology ]
mariovistus (profile), 27 Apr 2010 @ 9:08pm

privacy violation
One useful way to understand this problem is as a negative externality. Just as a paper mill that pollutes a river as a negative by-product of its production process, the credit industry by granting easy credit and failing to secure customer data has made identity fraud an attractive crime to the detriment of the public. To make matters worse, the credit industry blames the individual - shred your personal documents, be careful about revealing your personal information, etc. According to the economist Ronald Coase, a negative externality should be dealt with if the cost of doing so is less than the cost of the negative externality itself and it should be done in the least cost way. Clean up the river or stop polluting it in the first place? My choice for the credit industry is to make data breaches so costly through fines that they have to remove the structural causes.

Another analogy is to the use of ATMs. Some bright person in the banking industry thought it would be a good idea to stock machines with a bunch of money and put them in all kinds of sketchy locations, 24/7. When the crime of robbing people when they took out money became popular, banks blamed the victim. Be more careful, don't use ATMs in bad neighborhoods. Somehow they figured out that they had liability so they improved the lighting and cut the shrubbery around ATMs, and most importantly added video cameras. By taking seriously their responsibility for security around ATMs they eliminated the negative externality of those robberies. Making data theft unattractive at the source via heavy fines, would lead those who traffic in personal information to find creative solutions to the problem of data theft.
[ link to this | view in chronology ]