When you hear a number like "94 million" in the news, it's usually because somebody won the lottery. This time around, no such luck. This 94 million is the number of Americans' files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. Go ahead, count the zeroes: 94,000,000. That's like releasing the personal data of every man, woman and child in California, Texas, New York, and Ohio.
Believe it or not, this number -- which was just revealed in the latest report from tech security firm Rapid7 -- is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. As bad as the numbers are, it gets worse. Much worse. Indeed, the biggest threat doesn't come from smart hackers -- it comes from dumb politicians and bureaucrats.
First, let's consider the scope: The newly released Rapid7 report is based on the list of data breaches compiled by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group (and remember, we're only talking about the last three years). According to Rapid7's analysis, government agencies at the local, state and federal level are becoming infinitely more proficient at exposing our personal data, putting more and more of it at risk with each passing year. Government agencies reported that they exposed 1.5 million records containing personally identifiable information (you know, the sensitive stuff: your name, your address, your phone number...) in all of 2010. The following year that total more than doubled, to 4 million. (If you're worried that you're a victim, read this.)
[The Credit.com Forum: Your Credit Questions Answered]
So far this year, government agencies have more than doubled their totals from last year, reaching 9.6 million in just the first five months of 2012. Who knows where we'll be by the end of the year -- or how many innocent people will be exposed to fraud and identity theft due to the negligence of government employees or third-party vendors?
And remember, these are just the breaches we know about. In some states, government agencies are not legally required to publicly report data breaches, or to notify potential victims that their personal information has been exposed. To take one little-known example, local governments in California are exempted from that state's breach notification law -- "a big exception, in my opinion," as Clearinghouse founder and director Beth Givens told us, since local governments "compile a great deal of personal information." Furthermore, out of 268 breach incidents reported since 2009, the 67 of the public agencies responsible (and I use that term loosely) couldn't even figure out how many records were lost. That fact alone will tell anyone with basic math skills and a lick of common sense that this epidemic is much worse than we know.
What's even more astonishing than the total number of personal records breached is how the databases were compromised in the first place. Despite what news reports, urban legend, and simple logic might lead you to believe, sophisticated, premeditated attacks by hackers accounted for only 40 breaches since 2009, a mere 15 percent of the total.