Theft of personal data more than triples this year

December 10, 2007 14:42 GMT+01

SEATTLE — Thieves are systematically pilfering sensitive personal data from companies, government agencies, colleges and hospitals like never before.

More than 162 million records have been reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006, according to USA TODAY's analysis of data losses reported over the past two years.

This year, news stories have been written about data losses disclosed by 98 companies, 85 schools, 80 government agencies and 39 hospitals and clinics, according to a database at tech security website Attrition.org.   Arrests or prosecutions have been reported in just 19 cases.

Volunteers at Attrition.org keep track of incidents, mostly in the USA, many of which are made public to meet new data-loss-disclosure laws. Of more than 300 cases tracked in 2007, 261 were reported in the USA, 16 in Great Britain, 15 in Canada, six in Japan, two in Australia, and one each in Denmark, Ireland, Sweden and Norway. Security experts consider the database a conservative indicator of the level of cybercrime.

Names, birth dates, account numbers and Social Security numbers have become like gold in the cybercrime underground. Meanwhile, organizations expose rich veins of such data as they convert paper documents into digital records. Business data worldwide are expected to swell to 988 billion gigabytes by 2010, up from 161 billion gigabytes in 2006, says researcher IDC.

As they "cram more and more data into a single place," companies and agencies present thieves with more opportunities for a big score, says Benjamin Jun, vice president of technology at Cryptography Research.

Thieves are cashing in:

•Databases, PCs, websites. In 87 cases this year, thieves cracked their way into organizations' databases. In other cases, they absconded with 63 laptops and 28 desktop computers and hacked into 54 websites.

•Portable storage. In 70 cases — including the loss of 25 million records reported last week by the British revenues and customs office — data went missing on disks, tapes, thumb drives and other portable storage media crammed with information.

Lurking data thieves aren't always on the minds of harried employees who take projects home or on the road. Some 63% say they e-mail work documents to personal e-mail accounts, according to a survey by security firm RSA, the security division of EMC; 35% said they felt compelled to bend company security rules to get their jobs done.

Organized-crime rings are on the lookout for unattended laptop computers, mail that contains disks or tapes and employees susceptible to bribery, says John Watters, CEO of security firm iSight Partners. "They're looking for the weak link," he says, "and aiming their resources at it."