Theft of personal data triples? I think not…
Byron Acohido of USA TODAY reports:
More than 162 million records have been reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006, according to USA TODAY’s analysis of data losses reported over the past two years.
Well, that is the kind of dramatic statistic sure to get attention. But is it correct? Acohido writes:
Volunteers at Attrition.org keep track of incidents, mostly in the USA, many of which are made public to meet new data-loss-disclosure laws. Of more than 300 cases tracked in 2007, 261 were reported in the USA, 16 in Great Britain, 15 in Canada, six in Japan, two in Australia, and one each in Denmark, Ireland, Sweden and Norway. Security experts consider the database a conservative indicator of the level of cybercrime.
Consider only the U.S. data USA Today used in the analysis. Using Etiolated.org’s web site to search Attrition.org’s database for 2006, Attrition.org reported 326 incidents involving 45,538,298 records. Both the number of incidents and the number of records are presumed to be underestimates for a variety of reasons (including the lack of mandatory notification, a problem that persists in 2007 although some states have now enacted notification laws).
For 2007 to date, Etiolated.org’s search of Attrition.org yields 262 U.S. incidents involving 77,334,196 records. If we use the later revised 94 million figure for TJX, we would have an estimate in the 125 million records vicinity for 2007.
But do the numbers really support a claim that the theft of personal data has tripled this year? I don’t think they do. The TJX incident was revealed in 2007 but actually occurred prior to 2007. If those data were included in revised statistics for 2006 and removed from the 2007 analyses, the data would indicate a huge decrease from 2006 to 2007. Maybe the USA Today headline should have been “Boy, did we underestimate data theft in 2006!”
It is intriguing that Attrition.org actually reports fewer incidents in 2007 than in 2006, despite the fact that there are a few more notification laws on the books and media awareness has increased. Dare we hope that breaches might actually be decreasing? Based on what will probably be more than a 10% decrease in number of incidents reported on Attrition.org for 2007, could the headline have been “Personal data breaches decrease in 2007″? Now wouldn’t that be nice if it were true?
Update of Dec. 11:
And they’re off and running spreading misinformation and fear. KXAN in Texas based the following on the USA Today story:
Identity theft is on the rise. More than 162 million records have been reported lost or stolen in 2007. That’s three times more than the more than 49 million that went missing last year.
Gah….
