ID breaches more common than ever

Our personal information, from addresses to Social Security numbers, is leaked — by hackers and by mistake — more often than we know.

Records with private information such as drivers’ licenses, financial documents and medical forms, either in paper format or electronically, are put at risk more than ever before, and often these risks are not disclosed to the public.

The Identity Theft Resource Center says it tracked 341 individual breaches in the first six months of 2010, compared to 498 for all of last year. But it says dozens more breaches have been veiled from the public, delayed in publication or not disclosed at all.

A separate count by the Privacy Rights Foundation tallied 334 breaches so far this year, compared with 298 for all of last year.

“This is probably just the tip of the iceberg, what we have on our breach list,” said Linda Foley, founder of the Identity Theft Resource Center (ITRC), a nonprofit that provides free help to consumers and promotes the prevention of identity theft. The group has maintained a weekly “breach” list since 2005.

“There are a lot of breaches that are not reaching the public eye,” she said. “They are being dealt with internally.”

So what does the consumer do? If you get a notification letter in the mail saying personal information has been put at risk, don’t panic. It doesn’t necessarily mean you are a victim of identity theft.

“See what information has been potentially, underscore potentially, at risk,” Foley said. “If it’s a credit card, that’s all you need to address. Do not overreact.”

If a Social Security number is involved, put a fraud alert on it and make sure to renew it a few times when the fraud status expires.

“Minimize your exposure as much as you can,” she said.

There’s no agreement on what to do with data breaches. The federal government and each state have different standards and rules about how, when and how much to tell.

Legislative measures to create a national breach list or some sort of unified notification system have bounced around Congress.

Federal law says medical breaches involving more than 500 people must be listed on the Health and Human Services breach list. But a loophole allows medical groups, hospitals and HHS to keep anything off the list if it deems there’s no “risk of harm.”

Some states, including Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia, compile centralized lists of data breaches — but they also have different rules on how much to report and when.

Georgia doesn’t keep a list, but the state is one of many that require businesses and agencies to notify consumers if their information has been exposed. And if it affects more than 10,000 people, credit reporting agencies also must be notified. According to the National Conference of State Legislatures, only Alabama, Kentucky, New Mexico and South Dakota have no security breach law.

“We need a single database that will not only keep consumers aware, but also have the information needed for law enforcement to be looking at trends, at serial breaches from state to state,” Foley said. “We need a systematic approach to this. ... Cybercriminals are taking full advantage of the fact that there is nothing organized.”

In Georgia, ITRC tracked 21 incidents from 2009 through mid-August. They include credit card numbers exposed at an Augusta dollar store and an organized ring from Bulgaria stealing bank card numbers and passwords at Bank of America.

A recent report from Verizon and the U.S. Secret Service found that the three most affected groups are the financial, hospitality and retail industries.

“A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributed to financial services,” the report said.

It’s the third such annual report from Verizon to track cyberleaks and it’s the company’s first joint analysis with the Secret Service, which is the only entity within the Department of Homeland Security with authority to investigate computer fraud.

Congress also directed the agency to create a nationwide network of Electronic Crimes Task Forces. The Verizon report analyzed 141 cases in 2010, representing more than 143 million data records.

“As was the case in our last report,” the report said, “about two-thirds of the breaches covered herein have either not yet been disclosed or never will be.”

Tips to protect your financial identity

Consumers don’t have to feel like their information is at the mercy of corporations and public agencies. Here are a few tips to guard against a data breach:

• Use unique passwords for each website you visit, including shopping sites and online banking sites. This limits any breach to just one website, should thieves obtain access to the password.
• Check your bank or retailer's security measures for online transactions. They should have policies that actively prevent cybercriminals from hacking into account information.
• Always review credit card and bank statements when you receive them. Even a small unexplained charge or withdrawal should raise a red flag, as some thieves steal small amounts over time from thousands of accounts, rather than cleaning out a single account, in hopes of going unnoticed longer.
• Given the choice of using a credit or debit card, opt for the credit card. In general, credit cards offer more protection for consumers. Thieves who get your debit card information can use it to quickly empty your bank accounts.
• If you receive a data breach notification letter, make sure you carefully read what information is vulnerable and note any telephone number that you can call for further information or help.
• If your Social Security number is vulnerable, place a fraud alert with the three major credit bureaus. The alert expires every three months, so be sure to renew it because cybercriminals sometimes will wait before using the information to avoid such alerts.
• If you suspect personal information has been stolen, you can request the three credit bureaus freeze access to your credit files, which will prevent thieves from opening new accounts with your stolen information.

Sources: Verizon, which has security services to guard against cybercrime; The Identity Theft Resource Center.

Check our sources and review recent data breaches for yourself: