Total Number Of Personal Data Records Leaked Since 2005: At Least 358.4 Million
from the lost-but-not-forgotten dept
The Privacy Rights Clearinghouse has put up a pretty interesting chronology of data breaches (via Guardianista) detailing leaks in the US since 2005 that resulted in the loss of people’s personal info. They’ve totaled up the figure over the past five and a bit years, and it’s a staggering 358.4 million records lost. Keep in mind that 358.4 million is just a minimum, since there are plenty of leaks that have lost an unknown number of records (like the one from a closed-down Hollywood Video store in Nevada, where customer records were thrown in a dumpster then scattered by the wind). Still, you may be thinking that you don’t hear about record-breaking data breaches much these days, but that’s not because they’ve stopped — it’s just that they happen so often, they’re really not all that newsworthy any more. A lot of lip service gets paid to clamping down on fraud, but it really doesn’t seem like much goes on to stop data leaks, since the penalties for the leaks are toothless and are cheaper than any real prevention.
Filed Under: data breaches, personal data
Comments on “Total Number Of Personal Data Records Leaked Since 2005: At Least 358.4 Million”
Wait...
358.4 million? Really?
Aren’t there only slightly over 300 million people in the US right now?
I wonder how many people that would mean have had their data leaked on multiple occasions….
Poor guys.
Re: Wait...
Or it could be only one person, whose data was leaked 358.4 million times.
Re: Wait...
The 358 million number was for personal data records, not people. How many different services, utilities, institutions, companies, organizations and websites does the average consumer sign up with ? Anywhere from 20-100, wouldn’t you say ?
A single data record leak could be as simple as name and e-mail. Given the number of relationships that consumers have online, 350 million breaches could be on the order of only 1 out of 100 data records.
So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it – and as such, we should just stop trying. We should also never hold people accountable for the actions of others.
But when it comes to personal information, we want there to be liability for people who don’t secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.
Got it.
Re: Re:
Trollbait much?
“So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it…”
Yes – but this is personal details, not music… there is a difference – apples and oranges my friend.
“We should also never hold people accountable for the actions of others.”
I agree – surprising to hear you support this for a change!
“But when it comes to personal information, we want there to be liability for people who don’t secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.”
Hmmm… you do recognise they are employed to protect the data.. and/or regulated to do so. They are punished for failing to meet their own responsabilities/accountabilities (or at least for not making a creditable effort to do so).
Re: Re: Re:
Yes – but this is personal details, not music… there is a difference – apples and oranges my friend.
Both are infinite goods with nonzero value.
Hmmm… you do recognise they are employed to protect the data.. and/or regulated to do so.
So my neighbor asks me to hold on to his chainsaw for a couple days and I put it in my garage, which is locked with ordinary locks. During the night, a burglar comes, picks the locks, and steals the chainsaw. That’s my fault?
You want to make website owners the police, now? Checking every single access to their site to see if it MIGHT be malicious? These sites get THOUSANDS of hits a day. Can you imagine how innovation would be impeded if you made someone go through each and every bit going to and from their server to see if it’s something nefarious?
Re: Re: Re: Re:
But the one infinite good is legally required to be protected… the other one has optional legal protection. The one infinite good is directly related to identity… the other (optionally) to profit. Both are stored as a string of ones and zeros… they are still not the same.
With the chainsaw… not. Provided you took reasonable steps (had decent quality locks) and perhaps insurance…. does anyone get paid if their private data is stolen???
Never did I say that. They must keep privite data securely. If breached they must report it. Nice strawman.
If they dont use protection/security, dont report a breach they are liably at law. They are responsible to take reasonable steps to protect the data… if you borrow a chainsaw you are responsible to guard it or replace the loss.
My point is not to pick statement by statement… but to point out your point was conflating two non-related situations. Feel free to correct my point… even point by point 🙂
Re: Re: Re: Re:
In your analogy, the neighbor used ordinary locks.
One of the largest leaks (TJX) failed to use ordinary security measures (locks).
Analogy fail
Re: Re:
So the traditional argument around here is that trying to secure information is a pretty useless task, since hackers will always get it if they want it – and as such, we should just stop trying
Uh, no. That’s not the “traditional argument” around here at all. Not sure where you read that, but it was not this site.
We should also never hold people accountable for the actions of others.
Indeed.
But when it comes to personal information, we want there to be liability for people who don’t secure it against hackers and we want to hold those people accountable instead of (or in addition to) the hackers.
No. Reading comprehension fail. In this case, we’re talking about companies who have a legal responsibility to protect information, who are not living up to that responsibility. Thus, the legal liability falls on them reasonably.
Re: Re: Re:
He hasn’t failed reading comprehension. He just bunked the exam.
The largest unreported one...
was Google getting rooted and two dozen companies refusing to tell us what/how they were breached
That article was the proverbial shit hitting the fan, causing me to pull all my online accounts back and wipe all data online, switch from MS to Linux and encrupt every HDD I ever use. Paranoid much?
Essentially I don’t trust a router my information passes through, so damned if I’ll ever use an account ever again.
Re: The largest unreported one...
wrap yourself in tin foil, make sure to remove all the wires from your house cover the windows, and never, ever go outside without a disguise. the secret black helicopters are following you.
Re: Re: The largest unreported one...
the ones who survive will be the paranoid ones.
“…since the penalties for the leaks are toothless and are cheaper than any real prevention.”
Perhaps you haven’t heard of the new Massachusetts law — it’s a lot of things (the word misguided comes to mind) but certainly not toothless!
The problem
The problem stems from a 9-digital un-obfuscated number that is too powerful. A very simple solution to privacy violations would be the following:
1. Lock everyone’s credit access until owner has given permission. The permission would be a 2-factor authenication system such as an RSA crypto key and/or a password. (Good luck Grandma!) Yeah education will be required.
2. Don’t tie Social Security Number to anything but putting money away for Social Security. i.e. banks, IRS cannot use it, other than when people are retiring (access) and when they are hired/fired (read only.)
3. No exceptions. If you allow exceptions you allow breach capability. Sadly, this brings into play a “national ID card” which everyone would freak out about anyway.
This would cause massive upheaval in so many financial systems, that it would be very costly, which is why nothing is being done.
So insecure we shall all remain.
privacy violation
One useful way to understand this problem is as a negative externality. Just as a paper mill that pollutes a river as a negative by-product of its production process, the credit industry by granting easy credit and failing to secure customer data has made identity fraud an attractive crime to the detriment of the public. To make matters worse, the credit industry blames the individual – shred your personal documents, be careful about revealing your personal information, etc. According to the economist Ronald Coase, a negative externality should be dealt with if the cost of doing so is less than the cost of the negative externality itself and it should be done in the least cost way. Clean up the river or stop polluting it in the first place? My choice for the credit industry is to make data breaches so costly through fines that they have to remove the structural causes.
Another analogy is to the use of ATMs. Some bright person in the banking industry thought it would be a good idea to stock machines with a bunch of money and put them in all kinds of sketchy locations, 24/7. When the crime of robbing people when they took out money became popular, banks blamed the victim. Be more careful, don’t use ATMs in bad neighborhoods. Somehow they figured out that they had liability so they improved the lighting and cut the shrubbery around ATMs, and most importantly added video cameras. By taking seriously their responsibility for security around ATMs they eliminated the negative externality of those robberies. Making data theft unattractive at the source via heavy fines, would lead those who traffic in personal information to find creative solutions to the problem of data theft.