Although companies, government agencies, schools and other institutions are spending more to protect increasing volumes of data with more sophisticated fire walls and encryption, the investment often is too little, too late.

"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity-theft victim herself.

Foley's group lists more than 79 million records reported compromised in the United States in 2007 through Dec. 18, compared with a figure of nearly 20 million in all of 2006.

Another group, Attrition.org, estimates more than 162 million records were compromised through Dec. 21, in the United States and overseas. Attrition had reported 49 million in 2006.

The biggest difference between the groups' record-loss counts is Attrition.org's estimate that 94 million records were exposed in a theft of credit-card data at TJX Cos., the owner of discount stores including T.J. Maxx and Marshalls. The TJX breach accounts for more than half the total records reported lost this year on both groups' lists.

The Identity Theft Resource Center counts about 46 million - the number of records that TJX acknowledged in March had been potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who gave depositions in a lawsuit banks filed against TJX.

The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami - an entry point that led the hackers to break into TJX's central databases.

TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."

With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, Jay Tumas, the head of Harvard University's network operations, said at a recent conference for information-security professionals.

The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lost sensitive data, as opposed to cases of hacking.

Besides TJX's problem, major 2007 breaches include lost data disks with bank-account numbers in Britain, a hacker attack on a U.S.-based online broker's database, and a con that spilled resume contact information from a U.S. online jobs site.

"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."

Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. They have been keeping track for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.