Digital Transactions Authoritative, insightful and timely information for payments professionals
Data breaches that compromised credit and debit card information were constantly in the news in 2015, but the number of cards affected is way down from the totals for 2014 and 2013, according to a nonprofit that monitors breaches.
The San Diego-based Identity Theft Resource Center reports that as of Dec. 28, some 741,747 payment cards were compromised in 157 breaches this year that involved card records. That’s a drop of nearly 99% from the 65.5 million cards exposed in 138 breaches in 2014. And in 2013, some 46.6 million cards were compromised in 96 breaches.
2013 and 2014 were the years of mega-breaches at retailers, notably Target Corp., whose late-2013 breach compromised 40 million cards, and The Home Depot Inc., whose breach disclosed in 2014 exposed 56 million cards. A string of smaller retailer breaches also occurred, leading to Congressional hearings.
While the number of cards exposed is down, despite a 14% increase in card-related breaches, the same can’t be said for Social Security numbers. The ITRC reports that 173.2 million full or partial Social Security numbers were exposed this year, up nearly 1,000% from 16.4 million in 2014.
Social Security numbers have been stolen in 43% of the 773 breaches tracked by the ITRC this year. They account for 97% of the total 177.9 million records—medical records and other data in addition to payment card and Social Security numbers—the organization says have been compromised.
“Last year was an outlier for credit cards because of the activity that was going on; this year is just the opposite,” says Karen Barney, program director at the ITRC. “This year the big breaches have compromised Socials.”
Fraudsters highly covet full Social Security numbers because, with them, financial accounts in other people’s names can be opened or taken over. Big data breaches that compromised Social Security numbers included two at the federal Office of Personnel Management, which affected about 25 million records, and at health insurer Anthem Inc., which affected 78.8 million customer records.
The ITRC compiles its data from media reports, disclosures to state agencies in the 47 states that require some form of breach notification, and other sources. Barney cautions that information about breaches often remains hidden. In fact, the organization has no data about the number of records compromised in 51% of 2015’s breaches.
In the card realm, the data-breach spotlight shifted from retailers to the hospitality industry in 2015. On Dec. 23, Hyatt Hotels Corp. confirmed that it found malware on its payment-processing system, though the Chicago-based firm didn’t say how many cards may have been compromised. Hyatt joined such prominent hoteliers as Hilton and Starwood, among others, in suffering data breaches in the past year.
Fraudsters using electronic means—hacking into computers, phishing, or skimmers—committed 38% of 2015’s breaches. Employee errors, negligence, or improper disposal of data accounted for nearly 15%, followed by accidental email or Internet disclosures at almost 14%.About 11% each resulted from insider data thefts and physical thefts. Subcontractors and other third parties and associates were involved in 9% of breaches, according to the ITRC.
