This year more than 300 security breaches were reported by U.S. companies and government agencies. By far the largest incident was that suffered by Massachusetts-based discount retailer TJX, which first reported in January that some 46 million customer records had been stolen. Recent reports, however, suggest that as many as 100 million TJX records may have fallen into the wrong hands.

Security breaches don’t stop at the U.S. border. Just a few weeks ago the British government admitted to losing two computer discs containing detailed personal information of 25 million citizens, prompting newly appointed Prime Minister Gordon Brown to offer a public apology.

It goes without saying that no one wants to suffer a security breach. In the last issue my colleagues Dave Welsh and Ken Gonzalez mentioned the fear of ending up in Brown’s shoes as a key driver of data loss protection solutions. And added to public embarrassment is the damage to reputation and customer loyalty, not to mention how expensive it is to fix the problem. A recent study by the U.S.-based Ponemon Institute estimates that data breaches cost nearly $200 per compromised record to implement customer support programs such as information hotlines and credit monitoring subscription for victims. These costs can be significant. In August TJX announced that it was allocating $256 million to deal with the loss, and earlier this month it reached an agreement to pay as much as $40.9 million in a settlement with Visa and the bank that processes TJX's credit card payments.

While the post-breach media glare can be uncomfortable at best, the growing attention given to this issue has begun to raise awareness about how widespread the problem has become. Case in point: Last month the TV news magazine “60 Minutes” did a feature on how many retail outlets don’t secure their wireless networks (this is how TJX was victimized). When “60 Minutes” covers a technology issue, it has hit mainstream nerve.

How pervasive are security breaches? According to the Privacy Rights Clearinghouse, a nonprofit privacy advocacy organization, more than 216 million data records of U.S. residents have been exposed due to security breaches since January 2005. The following examples from 2007 demonstrate how breaches now cut across all industries, sectors and geographies.

Online

• Ads linked to 20 popular search terms of a major search engine were found to install a malware program on users' computers to capture personal information and access online accounts for 100 different banks.
• Hackers stole the names, addresses, phone numbers and email addresses of some 1.6 million job seekers at popular job site.

• Computer equipment containing files with sensitive information including names, addresses, Social Security numbers, dates of birth, period of employment and salary information of current and former employees and their spouses was stolen from a major luxury retailer, putting 160,000 records at risk.
• A laptop containing personal data of some 10,000 employees of a large home improvement chain was stolen from a regional manager's car in Massachusetts.

• Social Security numbers for more 10,000 current and former students, faculty and staff at an Ivy League school were compromised following the theft of two university computers.

• A world-renowned hospital in Baltimore, Md. reported the disappearance of nine backup computer tapes containing personal information of employees and patients. Eight of the tapes contained payroll information on 52,000 past and present employees, including Social Security numbers and in some cases bank account numbers. The ninth tape contained "less sensitive" information about 83,000 hospital patients.

• An employee in Alabama reported a portable hard drive stolen or missing that might contain personal information about veterans and physicians—including Social Security numbers. The number of identities put at risk was nearly one million.

• Hackers broke into a database of a large financial institution based in Omaha, Neb. and stole the names, email addresses, phone numbers, and home addresses of more than 6.3 million customers, many of whom then received unwanted spam as a result.

• A computer tape containing full names, addresses, phone numbers, Social Security numbers and marital status on 200,000 past and current members of three health insurance programs run by a large West Virginia company was lost while being shipped via United Parcel Service.

• A worker at one of the subsidiary companies of a large financial services technology company stole customer records containing credit card, bank account and other personal information, affecting 8.5 million records.

• A security hole on the web server of a major broadcast media company exposed sensitive content to the public, including login information that allowed hackers to access names, phone numbers, and e-mail addresses of at least 1.5 million people.

• Germany:  An online ticket sales office in Hamburg informed its customers that unidentified culprits had stolen credit card numbers and billing addresses. Some 66,000 customers who purchased tickets with a credit card from the site between October 24, 2006 and September 30, 2007 were affected.
• Ireland:  A large bank mistakenly sent 15,000 notifications to its customers containing the private bank account details of other individuals. A total of 11,000 customers were affected by the error.
• Japan:  A laptop containing names, addresses, birth dates and policy details of 152,000 customers of a global insurance company was stolen from an employee in Tokyo.
• Scotland:  A major bank in Scotland sent a woman who asked for her statement the details of 75,000 other customers. She received five packages each containing 500 sheets of 30 customers' names, sort codes and account details.
• United Kingdom:  A government office failed to ensure a section of its web site, making the personal data of visa applicants visible to other people visiting the site.

Breaches Don’t Discriminate
Some of the above breaches were malicious attacks. Some were lost or stolen laptops and USB devices. Some were employee or contractor error, others employee or contractor theft. What do they all have in common? Together they show how many points of entry there are into the heart of an organization’s most sensitive data—and how easy it can be for that data to fall into the wrong hands.

As 2008 will undoubtedly see more breaches across the board, putting protective technology in place is essential. To be safe you need a comprehensive security risk management strategy that defends your company against breaches from every possible angle—online and offline—from the host to the end point. That means integrated encryption, anti-malware, anti-spyware, host intrusion prevention systems, network intrusion prevention systems, web site auditing and certification, vulnerability management and correlation, and policy and compliance management. Be thorough, and make sure the solutions you choose are backed up by integrated security research. Sensitive data is one of the most important assets of any organization, and you can never be too careful with it.