"My guess is that it will be worse," said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, a San Diego-based nonprofit organization that tracks data breaches. More than 67 million records containing sensitive information on customers and employees were put at risk for fraud through theft, improper disposal or just lax security in the United States last year, according to Privacy Rights Clearinghouse.
The organization has not yet finalized its data breach count, but it's clear 2007 will go on record as the worst 12 months since it began tracking incidents following the ChoicePoint debacle in 2005. (ChoicePoint Inc., a national provider of identification and credential verification, was the victim of criminals posing as legitimate businesses who obtained personal information on some 140,000 of ChoicePoint's consumers.) And, added Stephens, retailers that discovered breaches late last year may choose to wait until after the holidays to disclose them, as TJX Cos. Inc. did in January 2007, when it revealed that up to 45.7 million customer accounts were put at risk.
One industry source said another major retailer, which he declined to identify, is currently dealing with a significant data breach and had not yet announced it.
"I am pessimistic because 85 percent of all retail locations are not secure," said one retail chief information officer, who requested anonymity.
Stephens said a growing vulnerability he's observed involves credit and debit card swipe terminals at the cash register, which can be easily removed, modified and returned to transact business without anyone's notice, all the while capturing PIN, or personal identification numbers, for data thieves. The technique is called "skimming" and while it does not constitute an intrusion to a retailer's central database, it does yield data that can be sold for identity theft, often to organized crime outfits overseas.
Another growing threat to data security is increased use of mobile devices like memory sticks, laptops, cell phones and personal data assistants, according to a survey by Ponemon Institute released last month.
Although 87 percent of technology employees surveyed said they know company policy prohibits copying data to a memory stick, 51 percent of them admit doing it anyway. Some 39 percent of respondents said they lost a mobile device containing corporate data and most — 72 percent — failed to report it immediately.