The Identity Theft Resource Center, which tracks and monitors security breaches that involve personally sensitive information, reported 662 incidents that exposed more than 16 million records in its year-end 2010 report.
The Banking/Credit/Financial category didn't dominate the list, but quite a few breaches were attributed to companies in this sector. Some of the incidents involved criminal activity that exposed small numbers of people -- or even only one person -- to identity theft. Other incidents were on a bigger scale, exposing thousands of records that contained names, Social Security numbers, financial account data and more.
Here's a sampling of some of the entries in the report:
- Citigroup. Approximately 600,000 customers received tax documents that had their Social Security number printed on the outside of the envelope. The numbers were surrounded by other numbers and letters, yet were clearly identifiable to at least 50 people who called the company to complain about the security risk.
- Community First Credit Union in Wisconsin. Names, Social Security numbers and employment information of more than 1,600 people who applied for a job through the company's website were compromised.
- Los Angeles Firemen's Credit Union. More than 28,000 members were notified that their names and addresses, telephone, account and Social Security numbers and other information was compromised when files weren't moved properly during an office relocation.
- Suffolk County National Bank in New York. Hackers stole the login credentials to access more than 8,378 customers' online accounts.
More than a few banks and credit unions also were found to have discarded sensitive financial information in back-alley garbage bins or paper recycling receptacles only to have the documents discovered by customers. The risks of Dumpster-diving have been so widely reported that it's difficult to comprehend how some financial institutions managed to miss the memo on the risks these methods of document disposal pose to their customers.
Other breaches involved fraud by employees, hackers, loss or theft of laptops or media storage devices, U.S. mail scams and "skimming" devices or key loggers that capture sensitive data from electronic networks. A few incidents involved human or machine error, such as sending bank account signature cards or mortgage documents to the wrong address.