US ONE IN SIX PEOPLE'S PRIVATE PERSONAL DATA MAY HAVE BEEN COMPROMISED SINCE FEBRUARYSecurity Park - One in six people's private personal data may have been compromisedOne in six people's private personal data may have been compromised

Data collected by the US consumer organisation Privacy Rights Clearinghouse reveals that, since February, more than 50 million Americans may have had their personal information compromised. Causes include hacking, dishonest employees, stolen computers and lost backup tapes.

Up to 10 million people in the UK may have had private personal data compromised this year alone if a pattern of loss similar to the United States has been repeated elsewhere, security experts revealed today.

Worse still, in the UK – unlike some US states – there is no legal obligation for companies to disclose personal information losses. Individuals have no way of knowing if they may now be vulnerable to identity theft, the only way to find out is if something happens to them. In 2004, just 120,000 detected identity thefts cost the UK around £1.34 billion in fraud.

What is worrying is that these data losses could be the tip of the iceberg. For example, what if someone borrows and copies a backup tape and puts it back? There is no telling how far reaching this type of incident could be, or what type of personal information may be compromised, be it financial, medical or other.

In the USA, one hacking incident put 40 million sets of details at risk; which was by far the biggest single event. A pro rata data loss like this in the UK would put the details of a mind-blowing 8 million individuals at risk. However, this one event skews the statistics and obscures the significance of other sources of data loss. If this incident is excluded, the average number of details compromised through hacking is 73,685, compared to an average of more than 135,858 for all loss types.

In fact, excluding the huge hacking incident, lost backup tapes account for 70% of the information loss represented by the remaining top ten, averaging almost 1.5 million people affected per incident.

Quite rightly, almost every company makes secondary, offline – “backup” – copies of its data, in case the primary copy is lost or becomes corrupted for any reason. The potential for information theft exists because the most popular medium for storing these backup copies is magnetic tape. Magnetic tapes, as physical objects, can be lost or stolen, and the data stored on them is typically unencrypted – making it easily readable by even a moderately skilled third party and leaves no audit trail.

According to DISUK, it is difficult to identify any one source of personal information loss, because of the wide variation in type of incidents, scale of loss and where they occur. Institutions ranging from banks to universities to the Department of Justice have reported losses.

Paul Howard, managing director of data security company, DISUK, said: “Hacking has a kind of mystery about it that means it tends to grab mainstream headlines more readily than obvious causes like lost laptops. But the cause we really worry about is the loss of backup tapes. Only six incidents out of the 80 reported in the USA involved lost backup tapes, but four of those are ranked in this year’s ‘top ten’ by number of people affected. The frequency is apparently low, but the risk is great.”

Howard continues: “The problem is that a lot of the information used in identity theft – stuff like old addresses, date of birth, place of birth and mother’s maiden name – never changes. It’s quite conceivable that an identity thief could acquire personal details now and then wait months or even years before borrowing money or applying for a credit card. There is not much of a time limit on a lot of this information and, with the reporting rules as they are, there’s no way for victims to be forewarned or to know when their personal information may have been compromised.”

DISUK advocates that backup tapes be encrypted as a matter of procedure, in much the same way as a firewall is considered mandatory protection against hackers. “Everyone has a firewall and there are even tools in existence now for companies to catch dishonest employees in the act of stealing information. Backup tapes are – currently – the last great unguarded mass sources of personal information and it’s a loophole we urge all companies to close,” concluded Howard.