Have you been a victim of identity theft? Has someone hacked your credit card number? Don't necessarily blame the hackers.
Corporations and institutions that have lost private information are usually responsible for the loss themselves, according to new research.
In most cases, it's an inside job. Mismanagement of sensitive files, lax security, lost equipment and employee theft are responsible for 60 percent of 589 reported incidents of compromised data between 1980 and 2006.
"Hackers aren't the only culprits," said Phil Howard, assistant professor of communications at the University of Washington.
Howard and Kris Erickson, a doctoral candidate at the university, combed through thousands of news reports over the last 26 years to produce a scathing indictment of companies and universities across the country.
The picture is quite different for corporations and educational institutions. Hackers have zeroed in on colleges and universities, tapping into personal records of students and their families. And they aren't interested in learning about grades.
Universities have much of the same type of information on hand as do financial corporations, like Social Security numbers, date of birth, income, and all the other bits of info that can be useful to someone wanting to steal someone else's identity.
Hackers are responsible for more than 47 percent of incidents involving stolen records from colleges and universities, compared with 31 percent of all incidents, according to the new study. That suggests hackers have found schools easier picking than companies.
The research shows that at least 1.9 billion records have been exposed over the last 26 years, frequently through incompetence. More than 6 million records are exposed every month. And the rate of theft is climbing, so by the end of this year, the total number should top 2 billion when somebody in the United States has some personal bit of information compromised.
Hackers will be partly to blame, but the researchers say the primary blame belongs to schools and corporate America and sloppy controls over data that should remain very, very private.
Unfortunately, no one knows for sure just how much damage all that hemorrhaging of sensitive information will cause.
"We know that identity theft is on the rise, and it makes sense that having more compromised personal records will lead to more identity theft, but in a lot of cases there's no clear connection," Howard said.
That's partly because new state laws that require companies to inform people when their records have been exposed don't require the companies to follow up and determine whether the exposure led to criminal activity, like identity theft, he says.
In the most celebrated case of all, the compromise of millions of records at an Arkansas company in 2003 did not have disastrous consequences.
Daniel Baas, a 24-year-old computer systems administrator, stumbled into a hacker's paradise when he gained access to millions of consumer records at Acxiom Corp., one of the largest companies in the world specializing in acquiring and selling personal financial data.