On the surface, it looks like we actually made some improvements in protecting private data in 2007. According to the Privacy Rights Clearinghouse, the number of publicly disclosed data breaches actually decreased, from 346 incidents in 2006 to 310 in 2007. Unfortunately, there are still more clouds than sunshine. In 2007, the 310 data breach incidents resulted in a total of 162 million records exposed, more than three times as many as in 2006 (when there were about 50 million).
Here's another frightening data point: Five of the 10 biggest data breaches occurred in 2007, including the record setter. Massachusetts-based TJXfor the largest data breach of all time--a whopping 94 million records were exposed!
As we fade into the twilight of the first decade of the 21st century, information security progress continues to move one step forward and then two steps back. The worst news of all is that this isn't a technology issue. It really comes down to negligence, ignorance, poor processes, and general laziness. To paraphrase security guru Bruce Schneier, "People remain the weakest link in the security chain."
I am an internal optimist by nature, but I continue to believe that the state of information security is far worse than the general public knows. I don't expect much improvement with data breaches in 2008 and wouldn't be at all surprised to see another doozy. With the way things are, the TJX incident could look like a sophomoric hack by year's end.