Data breach trends in the United States

Author:Robert E. Holtfreter, Adrian Harrington
Position:School of Business, Central Washington University, Ellensburg, WA, USA; Yakima, WA, USA

Purpose - The main purpose of this paper is to analyze the trends of various types of data breaches and their compromised records in the USA using a new model recently developed by the authors. Design/methodology/approach - The 2,280 data breaches and over 512 million related compromised records tracked by the Privacy Rights... (see full summary)

Data breach trends in the
United States
Robert E. Holtfreter
School of Business, Central Washington University,
Ellensburg, Washington, USA, and
Adrian Harrington
Yakima, Washington, USA
Purpose – The main purpose of this paper is to analyze the trends of various types of data breaches
and their compromised records in the USA using a new model recently developed by the authors.
Design/methodology/approach The 2,280 data breaches and over 512 million related
compromised records tracked by the Privacy Rights Clearinghouse from 2005 through 2010 were
analyzed and classied into four external, ve internal and one non-traceable data breach categories,
after which trends were determined for each.
Findings – The ndings indicate that although the trends for the annual number of data breaches and
each of the internal and external categories and their related compromised records have increased over
the six-year period, the changes have not been consistent from year to year.
Practical implications – By classifying data breaches into internal and external categories with the
use of this new data breach model provides an excellent methodological framework for organizations to
use to develop more workable strategies for safeguarding personal information of consumers, clients,
employees and other entities.
Originality/value – The topic of data breaches remains salient to prot and nonprot organizations,
researchers, legislators, as well as criminal justice practitioners and consumer advocate groups.
Keywords Identity theft, Data breach models, Data breaches, Data protection,
Identity theft resource center, Privacy Rights Clearinghouse
Paper type Research paper
On January 15, 2012, Zappos, an online shoe retailer, reported a data breach after
hackers intruded their servers and gained access to the names, email and shipping
addresses, telephone numbers, scrambled passwords and the last four digits of the
credit card numbers of 24 million customers. The company voided the hijacked
passwords and contacted all their US customers with information about the breach and
gave them a link to access along with instructions to create a new password. Because
individuals typically use the same or similar passwords on more than one Web site, the
customers were also instructed to visit those sites and change the passwords. (Munsil,
2012) The password hashes were also accessed, which creates a considerable risk if they
were not encrypted with an encryption standard other than commonly used 56-bit Data
Encryption Standard (DES). The use of the DES allows hackers to easily crack and
return the encrypted data to plain text and use it for fraudulent purposes, including
identity theft.
The current issue and full text archive of this journal is available on Emerald Insight at:
Journalof Financial Crime
Vol.22 No. 2, 2015
©Emerald Group Publishing Limited
DOI 10.1108/JFC-09-2013-0055
Data breaches, often referred to as security breaches, occur when an individual’s
personal information including name, social security number (SSN), email address,
passwords, debit/credit card, nancial account information, medical records, driver’s
license, etc. are compromised and put to unauthorized risk of use, either in paper or
electronic format, for fraudulent purposes including identity theft. Not all data breaches
result in identity theft but many of them do, especially the ones initiated by hackers.
Identity theft occurs when someone who is not authorized to do so uses another
person’s personal information to commit fraud. In the USA, the Federal Trade
Commission (FTC) (Federal Trade Commission, 2012) has tabulated more than 7 million
fraud, identity theft and other complaints from 1997 through 2011and reported them
annually in their Consumer Sentinel Network Data Book. The complaints are collected
directed from consumers and from a variety of law enforcement and other agencies on a
voluntary basis. During 2011, the Data Book included 279,156 identity theft complaints,
which is highly understated, as the FTC estimates that identity theft occurrences exceed
more than 10 million per year in the USA. The discrepancy between actual and reported
identity theft data exists because many victims do not report them to the FTC or law
enforcement agencies.
The Zappo’s company data breach mentioned above is just one example of the
thousands of data breaches that have been identied over the past seven years in the
USA, which does not stand alone, as they have become a plague for individuals and
organizations in every country throughout the world and have been increasing at a
rapid rate.
Data breaches are wide spread and have occurred in every type of industry including
nancial, manufacturing, retail/ wholesale, telecommunication/media, hospitality
and professional services as well as other industries including healthcare, government/
military, education, non-prot and others. To gain an understanding of how wide spread
they are, some examples of actual data breaches for selected industries that have
occurred over the past seven years are described as follows. They are taken from the
Privacy Rights Clearinghouse (PRCH) “Chronology of Data Breaches” document.
(Privacy Rights Clearinghouse, 2012).
Business – nance industry
On February 25, 2005, in Charlotte, North Carolina, it was reported that Bank of America
lost computer tapes that included credit card information, Social Security numbers,
account numbers and addresses of 1.2 million customers of whom 900,000 worked for
the Defense Department.
Business – telecommunications/media industry
On May 2, 2005, iron Mountain, a transport company, reported that backup tapes
containing 600,000 records containing personal information for Time Warner’s current
and former employees were lost or stolen during shipping.
Education industry
On April 26, 2006, a hacker accessed 197,000 records that included names, Social
Security numbers and demographic information of current/prospective students,
alumni, faculty/staff members and corporate recruiters at the University of Texas’s
McCombs School of Business.
Data breach
trends in the
United States

To continue reading