Data losses set to soar, KPMG predicts

According to a new report, losses of personal and financial data are set to rise sharply in 2009 as the effects of the credit crunch begin to take effect.

Losses of personal and financial data are set to rise sharply in 2009 as the effects of the credit crunch start to bite, according to a new report from the management consultancy KPMG LLP.

Based on current trends, KPMG says the number of people affected by data loss around the world could soar to 190 million in 2009, compared to 92 million in the previous year, as the credit crunch deepens. The report says the number of people affected by data loss incidents (47.8 million) from August to November were higher than combined incidents in the first eight months of the year -- and 38% higher than the same period in 2007 (34.5 million).

KPMG has been tracking publicly reported data losses since 2005 and records them in its "data loss barometer." The partner in charge, Malcolm Marshall, acknowledged that the figures represent just a fraction of the real extent of the data loss problem, which still goes largely unreported in many countries.

Marshall said he expected the rate of losses to grow in 2009 as finances become tight and criminals start to target individuals who might be persuaded to part with information for cash. "People may be worried about their jobs and finances, so criminals see an opportunity from the economic downturn," he said.

Since 2005, there have been around 1,300 reported incidents of data loss worldwide, with the personal data of more than 350 million people compromised, according to KPMG. In 2008 there were 427 data loss incidents reported, affecting 83 million people globally. Although fewer people were affected than in 2007, well over half of the 2008 victims -- 47.8 million -- suffered loss in the last three months of the year.

Although online shopping is unlikely to be affected by data breaches, as all credit card losses are covered by the Consumer Credit Act, Marshall said the effect on companies themselves can be crippling.

"Once they suffer an incident, their risk appetite goes right down, and they can make dysfunctional decisions in their desire to avoid a second event," he said.

One of the biggest risks comes with sharing information with outsourcing companies and sub-contractors. While he sees no sign of companies bringing in-house major business process contracts, Marshall said that several companies had now opted to dispose of their own IT equipment themselves rather than outsource the process. "There have been incidents of hardware being sold on eBay, so some companies prefer to hire in a team with sledgehammers and make sure the data is properly destroyed."

He said data loss is now a global problem that is set to get worse, adding that even the most secure and comprehensive controls do not provide absolute protection against all conceivable threats.

Marshall suggested a few simple questions that all companies should ask themselves:

  • Do you know where your data comes from?
  • Where it is stored and how it is used?
  • Do you have a clear plan of what to do should you lose your data?

Read more on Privacy and data protection