By the numbers: A dismal year for data breaches

By the numbers: A dismal year for data breaches

Summary: With the Privacy Data Clearinghouse reporting that the number of data records lost has surpassed the 100 million mark you’d think the organizations that hold our data would be shamed into better security practices. Not quite.

TOPICS: Big Data

With the Privacy Data Clearinghouse reporting that the number of data records lost has surpassed the 100 million mark you’d think the organizations that hold our data would be shamed into better security practices.

Not quite. Preventing data breaches isn't impossible. Making companies care is impossible. I've proposed stiffer penalties, created a hall of shame and cooked up all sorts of ways to prod companies to protect our data better--all to no avail. Bottom line: It's cheap to be a data pack rat so companies just collect it without any concern over the security risks.

With that glass-half empty backdrop here's a look at the year in data breaches. The data comes from, which provides its data breach database to anyone that wants to download it. Data is through Dec. 17.

327: Number of data breach events in 2006. That's up from 136 in 2005.

112: Entities with data breaches that were considered businesses by

81: Number of educational organizations with data breaches.

98: Number of government (state, local, federal) hit with data breaches.

36: Number of medical institutions with breaches.

22: Number of repeat offenders in 2006. Note that sum could be higher depending on how you count repeaters. For instance, I didn't count Georgetown University and Georgetown University Hospital as one entity.  

129: Number of data losses due to stolen property such as laptops and laptops.

220: Number of data losses that were the result of outside actions compared to 104 that were inside issues. The remainder was unknown.

3: Number of confirmed consumer lawsuits as a result of a data breach.

12: Cases where data was partially or fully recovered.

[poll id=30] 


Topic: Big Data

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 100M? Hardly

    And the problem with most of these numbers is that they only go back to 2005 - with only a few cases the four years prior to that.

    The Web has been in existence since 1989; e-commerce really started to take off in 1996 - a full decade ago. I'd venture that there has been far more breaches of personal data than a mere 100M.

    The first laptops came about in the mid 1980s - over two decades ago. I'm sure they were being stolen with personal data almost as long. Credit cards have been in existence since the late 1950s - I'm sure dumpster diving and insider threats where a problem back then as well.

    Don't get me started on paper recycling and shredders.

    At what point do we start the data loss record counter?
    • Funny you should mention that

      Indeed, this isn't new. What is new is that these things are being disclosed more--thank the state of California for that. The Attrition data goes back to 2000 or so, but it's spotty. That's why I just stuck with the 06 and 05 items--that's where the big effect of disclosure laws kicked in.

      Given that companies didn't have to disclose squat on this topic before the counter began in 04-05 not because nothing happened before then, but that's when the stat tracking started.
      Larry Dignan
  • Have you sent the info to

    the appropriate Congress people?
  • No corporate shame

    [b]you?d think the organizations that hold our data would be shamed into better security practices.[/b]

    They won't be shamed into anything, corporations have no shame. But they might be fined into compliance. With fines that double if they don't report the breach in a timely fashion.
  • 100M may only be the tip of the iceberg.

    Can you imagine if they added the records stolen from breaches that were [b]not[/b] reported? Many companies are either too embarrassed, scared, or greedy for shareholder money to report such thefts. If there was a way to count those thefts, that number may close on one billion.
    Mr. Roboto
  • There's STILL Only One Answer

    Your readers are probably tired of hearing my sermons on the ONLY way to protect our names and private information, but it will continue until I get through to them. We must give consumers control over this sensitive data, and, at the same time pay them when it is sold. In both cases, it is their right. Your article confirms that business only looks at the bottom line, and government has now embarked on a data collection frenzy. Big Brother is just around the corner.

    Read more in my blog, "The Dunning Letter" at:

    Jack E. Dunning
    Cave Creek, AZ
    Nasty Jack
  • Hosted/Outsourced: Better or Worse?

    I'm very curious to hear how many of the 112 business that had data breaches last year were holding on to that data for someone else. I would think very few.

    One would think, following basic economic and business principles (such as competitive advantage and core competency), that the much smaller number of specialist companies - with typically much higher levels of security expertise - that are hosting data for others are likely to do a much better job of securing that data than the myriad of organizations whose core competency has nothing to do with IT whatsoever and who are going to be struggling to keep up with technology issues all across the spectrum, let alone something as complex as data security. I would think that since their entire livelihood depends on securing data, that datacenter hosts, SaaS providers and the like would do much better, and the rest of us should be off-loading this hairy task to these specialists. I mean, how many of us hire, train and manage our own human security guards? None. We hire security firms because they will do it so much better (and cheaper) than we do.

    So the question is: are hosting providers in fact doing a better job?