'Half of American adults hacked' in the past year - really?

Filed Under: Data loss, Featured, Privacy, Security threats

Americans hacked. Image courtesy of ShutterstockA new study publicized this week claims that almost half of all American adults - about 110 million people - have had their personal data hacked in the past year.

Tallied by the Ponemon Institute and reported by CNN, the study claims that 47% of US adults have been hacked in the past 12 months, with up to 432 million "hacked accounts."

It's a frightening statistic, if true. Let's take a look at the numbers.

Certainly there's been a vast swath of the American population whose data has been compromised in the last year, with the biggest culprits being the breach of Target that leaked 40 million credit and debit card numbers, plus additional records, from a total of 70 million customers.

So with Target's numbers alone we're already at 70 million "hacked" individuals, which is a stunning figure in itself.

If you add to that the data breaches at Neiman Marcus, Michaels, and, more recently, eBay, then CNN's claim of 110 million people hacked - "half of US adults" - starts to look very realistic, and maybe even on the low end.

But there are a few problems here.

An incomplete picture of data loss

CNN's data comes from the Identity Theft Resource Center (ITRC), which tallies data breaches in the US reported by news media and government sources (CNN says it also got data from its "own review of corporate disclosures").

The ITRC is very thorough in keeping its statistics, but only includes the numbers that have been disclosed - companies don't always report the number of records lost due to varying breach notification laws, leaving an incomplete picture.

For example, eBay didn't report how many of its 138 million accounts were exposed in the recent attack, so we are left to wonder - was it all 138 million accounts? Or, (unlikely but still a possibility), just one person's account?

By the way, a "record" is a name plus another piece of personally identifying information (PII) of data such as a driver's license number, credit card/debit card number, or medical record.

Because email addresses and passwords aren't considered PII, companies are not required to disclose loss of them as a data breach - even though a hacker could use your email address and password to steal other relevant information about you that is PII.

What's even more challenging in coming to a reliable tally is that, according to the ITRC, organizations only disclosed the number of records lost in 60% of the data breaches in 2013.

Could that mean even more than 110 million people were hacked? Well, because there's no data on the other 40% of data breaches, we just don't know.

All this leads the ITRC to state on its website that:

Any efforts to accurately quantify the actual number of breaches, and resulting number of compromised records, are stymied in the absence of mandatory and uniform reporting requirements on a national level.

Let's not forget that records from different breaches are connected to some of the same people multiple times - it's likely that people who shopped at Target and had their credit card numbers stolen also had their email address stolen from AOL, or their account number swiped from eBay.

So how does CNN get its number of 110 million individuals "hacked" in the past year, and up to 432 million accounts breached?

ITRC's data shows that 91,978,932 records were breached in 2013, and another 8,533,800 have been confirmed lost so far in 2014.

That brings us to about 100 million records confirmed lost for 2013 and 2014 - a far cry from the 432 million accounts claimed by CNN.

"Hacked" is not the same as lost or stolen

Not all of those records were "hacked" by cybercriminals, but many were exposed accidentally through employee negligence, or by insider theft.

The ITRC reports on its website that 26% of the total of 614 data breaches in 2013 was a result of "hacking."

24 news headlinesWhen you consider that the 24/7 news media needs provocative headlines to drive clicks and to win advertising dollars, CNN's claim starts to make a little bit more sense.

The headline "Half of American adults hacked in past year" looks great, but it would have been more accurate if they'd have written "We have no idea how many Americans were hacked last year but it's probably a very high number".

And what of the rest of the world?

Well, according to another headline-grabbing report, more than 820 million records were exposed in data breaches worldwide in 2013.

Whatever the real number of individuals affected by these data disasters is - and we really, truly just don't know - it's still way too high.

That's a fact.


Image of US flag fingerprint and 24/7 news courtesy of Shutterstock.

, , , , , , , , , , ,

You might like

4 Responses to 'Half of American adults hacked' in the past year - really?

  1. Bart B · 109 days ago

    Another reason the numbers do not add up is that the whole world is not American! eBay is used all over the world, so these are not all Americans who have been breached!

  2. Nigel · 109 days ago

    "Hacked" isn't defined, and even if it were, that doesn't mean it comprises all of the most troublesome forms of cybercrime.

    For example, what about folks who have fallen victim to CryptoLocker? That might not fit the definition of "hacked", but there's no question that it results in the loss of information. The same is true of certain other forms of malware, phishing, and other attack vectors.

    The point is that the number of people in the U.S. who have fallen prey to some form of digital knavery could be more than half of the population, or at least more than half of the population that is connected to the Intertubes. So, the article gets it exactly right; "...we really, truly just don't know".

  3. John C. · 109 days ago

    Another consideration: I have an eBay account, and the data stolen from eBay might have included my record, but if I change my password before anyone manages to decrypt it have I been hacked? As the article alludes, it all depends on your definition of "hacked."

  4. "Hacked" is not the same as lost or stolen - That line says it all. There's a distinct and clear difference between hackers and script-kiddies. Typical script-kiddie tactics like phishing/vishing/smishing and key-logging simply aren't considered "hacking" in my book. For the primary reason that actual security isn't being defeated - instead, legitimate account information is simply being usurped. So to me, the use of the term "hacked" is over-used and most often used inappropriately by the media.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.