Personal information leaks reached unprecedented levels last year, according to a brace of studies out last week.

Lost laptops, insecure systems and mislaid discs means problems posed by the exposure of customer records are unlikely to disappear anytime soon. As in other areas of information security organisations are often reticent to invest in encryption and other security defences until they've been hit by a problem.

Data handling has probably always been poor, but information security breach disclosure laws have pushed the issue out into the open.

Meanwhile, Attrition.org reckons 162m customer records were compromised worldwide in the year up to 21 December, compared to 49m lost records in 2006.

As well as taking into account the whole world instead of just the US, Attrition's estimate is higher because it reckons that 94m records were exposed by the theft of credit card data at TJX. Attrition.org's figures come from a lawsuit filed by TJX by banks. The Identity Theft Resource Center takes the 46m figure of potentially compromised credit card details TJX has publicly acknowledged. Hackers are reckoned to have obtained the credit card numbers after snooping on weakly encrypted wireless transmissions of customer information at two Marshalls stores in Miami, a security weakness they exploited to gain access to eventually gain access into TJX's central databases as part of a long-running attack that went undetected for months.

The TJX breach was by far the worst breach of 2007. Other major breaches of last year include the loss by the UK government of two unencrypted CDs containing the records of 25m child benefit claimants. ®

Related stories

• TJX closes book on infamous security breach with sale (23 January 2009)
• Second TJX hack suspect cops a plea (23 September 2008)
• TJX hacker breaks ranks with guilty plea (15 September 2008)
• Analysis Fog of attack clouds Best Western hack (29 August 2008)
• US data breaches booming in '08 (27 August 2008)
• Best Western plays down impact of hack attack (26 August 2008)
• Colchester Hospital sacks manager over lost laptop (12 August 2008)
• Updated Unencrypted traveler data laptop disappears then reappears (5 August 2008)
• Data breaches easily prevented - report (12 June 2008)
• Update Cotton Traders mauled by hackers (11 June 2008)
• Breach disclosure laws have 'no effect' on identity theft (5 June 2008)
• US bank loses unencrypted data on 4.5m people (2 June 2008)
• Deutsche Telecom caught doing an HP (27 May 2008)
• Renault F1 comp site spills entrants' details (8 May 2008)
• HSBC pops thousands of customer details in the post (7 April 2008)
• US auto parts store spills data to hackers (1 April 2008)
• Hannaford cc data thieves planted malware on 300 servers (28 March 2008)
• Supermarket loses 4.2 million credit card details (18 March 2008)
• Want to snoop on your neighbors? Come and work in Wisconsin (26 February 2008)
• 5,000 NHS records vanish with latest lost laptop (15 February 2008)
• UK gov issued 250k snoop licences in nine months (29 January 2008)
• Join the army, get your ID pinched - MoD laptop goes AWOL (20 January 2008)
• Personal data for 650,000 customers vanishes into thin air (18 January 2008)
• TJX settles with banks over credit card breach (20 December 2007)
• UK driver details lost somewhere in America (17 December 2007)
• ICO warns of more 'datagate' breaches (5 December 2007)
• Data breach costs soar (29 November 2007)
• America's 8m victims of identity theft (28 November 2007)
• UK Identity Crisis Civil service apologises for HMRC data loss (26 November 2007)
• TJX breach was twice as big as admitted, banks say (24 October 2007)
• Schwarzenegger terminates data breach bill (16 October 2007)
• Lax security led to TJX breach (4 May 2007)
• Consumers baulk at returning to hacked stores (17 April 2007)
• How much do security breaches cost anyway? (12 April 2007)
• Europeans fear data loss disaster (19 February 2007)
• US ID theft losses decline (5 February 2007)
• Half of ICT firms suffer security breach (10 July 2006)
• Consumers punish firms over data security breaches (15 November 2005)