WIA Report

6 Million Personal Records Compromised Each Month; 2 Billion in Total by December?

The computer hacker is one of the most vilified figures in the digital era, but to what degree are organizations actually responsible for compromised personal records? To examine the role of organizational behavior in privacy violations, we analyze 589 incidents of compromised data between 1980 and 2006.

In the United States, some 1.9 billion records have been exposed, either through poor management or hacker intrusions: about nine personal digital records compromised for every adult. There were more reported incidents in 2005 and 2006 than in the previous 25 years combined, and while businesses have long been the primary organizations hemorrhaging personal records, colleges and universities are increasingly implicated.

Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45 percent, while 27 percent of the volume is attributed to organizational mismanagement and 28 remains unattributed. But in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors.

We conducted a search of incidents of electronic data loss reported in major U.S. news media from 1980 to 2006. These included print publications with national circulation such as the New York Times, the L.A. Times, and USA Today, along with major broadcast news media. Because some news reports contained references to more than one incident, we employed a snowball methodology to expand our analysis by including additional security breaches mentioned in the same article. Duplicate entries were eliminated by comparing news stories on the basis of organizations involved, dates, and other incident details. In cases where papers reported different quantities of lost records, we chose the most conservative report. We also consulted lists of electronic data breaches compiled by third party computer security advisories, such as the Identity Theft Resource Center and Attrition.org. Our method yielded 589 incidents, 550 of which were successfully cross-checked with LexisNexis and Proquest to ensure accuracy, and 39 of which we discarded for involving citizens of other countries or for being unverifiable in major news media reports.

This paper will be published as:

Erickson, Kris, and Philip N. Howard. “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” Journal of Computer Mediated Communication 12, no. 4 (2007).

On average, in 2005 personal records were compromised at a rate of 5.2 million a month. On average, in 2006 personal records were compromised at a rate of 5.8 million a month. Assuming a similar rate of growth, by November or December this year we we should cross the 2.0 billion mark. This is a conservative estimate because many of the news stories we archived were conservative on their own estimates of how many records were lost in particular incidents, and because a small number of incidents are reported without details of how many personal records were compromised.

View figures and tables of this paper as a *.pdf.

View pre-publication draft of paper as a *.pdf.

View dataset of incidents as a *.xls.

View University of Washington Press office news release on this research.