Today's electronic world is a risky place for your personal data -- and it's not getting any safer. More than 158 million data records of U.S. residents have been exposed as a result of security breaches since January 2005, according to The Privacy Rights Clearing House, a nonprofit consumer rights organization.

As fast as banks, merchants, and consumers add new layers of security to their storage systems and network, say security analysts, new technologies -- or simply careless users -- create new security holes that aggressive and sophisticated identity thieves eagerly exploit. The result, says Avivah Litan, a vice president and distinguished analyst at Gartner, is that "things will get worse before they get better."

Clever crooks

Attacks against both consumers and retailers have "really grown in the last couple of years," says Litan, who cites a Gartner survey showing that approximately 15 million Americans were victims of identity-theft related fraud in the 12 months ending in the middle of 2006. According to Gartner, that's a 50 percent increase since 2003, and the average loss per incident was $3,257, more than twice the level for the same period a year earlier, according to the survey.

The number of companies whose customers were targeted by phishing attacks -- a fake e-mail asking for sensitive information -- grew by 20 percent in the second quarter of 2007, says Terry Gudaitis, cyberintelligence director at Cyveillance, an Arlington, Va.-based firm that monitors the Internet for malware and other threats. While such attacks used to target customers of only a few large banks, they now impersonate "credit unions, hotel chains, insurance companies -- it's all over the board," says Todd Bransford, vice president of marketing at Cyveillance.

During the same period, Cyveillance also identified more than 2 million URLs that distribute malicious downloads to site visitors without their knowledge, as well as 2.5 million stolen credit card numbers online.

Criminals are also getting smarter. Larry Ponemon, chairman and founder of Ponemon Institute, which conducts research on privacy and security issues, calls it "inverted customer relationship management," in which criminals target the wealthiest individuals for their attacks.

Some are even buying marketing lists to piece together profiles of "who's got the Platinum [American Express card] and who's got the account with Merrill Lynch and who doesn't," says Litan.

"Hackers are exploiting Internet auctions, nonregulated money transmittal systems and the ability to impersonate lottery and sweepstakes contests," among other scams, wrote Litan in a February 2007 research report.

Theft and fraud?

Hard figures on identity theft and identity fraud (using stolen data to commit a crime) are difficult to come by. A June 2007 report from the Government Accountability Office said that of 24 large data breaches reported in the media between January 2000 and January 2005, only three "appeared to have resulted in fraud on existing accounts, and one breach appeared to have resulted in the unauthorized creation of new accounts."

However, the study noted it's difficult to determine the exact damage, because while at least 36 states require companies to notify consumers of data breaches, victims often don't know their information has been stolen or how it was stolen. Thieves may wait a year or more before using the data, and may use only some of it so as to not alert the card issuer, which could cancel the entire block of stolen cards.

Mary Monahan, a partner, editor and analyst at Javelin Strategy & Research, a research and consulting firm in Pleasanton, Calif., takes a more upbeat view. She says that prevention and awareness by both consumers and businesses helped reduce the number of adult victims of identity fraud in the U.S. from 8.9 million in 2005 to 8.4 million in 2006, and the dollar amount of fraud dropped 12 percent from $55.7 billion to $49.3 billion.

Those figures, however, include all types of identity fraud, the vast majority of which Javelin says result from traditional causes such as lost or stolen checkbooks or credit cards. Rachel Kim, a research associate at the firm, also points out that less than 1 percent of victims whose information has been stolen experience fraud. Despite the publicity of data breaches at companies such as The TJX Companies, she says, the percentage of victims who knew how their data was lost who cited a data breach actually fell from 6 percent to 3 percent from 2005 to 2006.

Given all the unknowns, it's not surprising that even the experts are sometimes in the dark. A December 2006 survey of more than 200 North American security professionals by Enterprise Strategy Group showed that more than one-third had experienced a data breach at their company in the past 12 months, and another 10 percent didn't know if they had lost data.

Weak points

One reason concern about identity theft is increasing is that with the expanding adoption of high-speed Internet service, more consumers are spending more time online, where they might share sensitive data.