A retail company stores all its customers’ credit-card account information, unencrypted and accessible through one user ID and password, in the same wireless network employees use to monitor inventory.

A financial-services company sends an unidentified visitor to its 38th floor after the stock market’s close, where he wanders alone among unstaffed desks strewn with sensitive account information on wealthy customers.

At another company, workers regularly stack heaps of papers containing personal data on top of the shredder because the machine’s bag is full.

If you think identity theft and credit-card fraud is the sole province of petty thieves scouring consumers’ trash cans, think again. What is perhaps more frightening is the wealth of personal data hijacked from U.S. companies nationwide, investigators say – especially since business is only just beginning to plug the leaks.

How well are companies protecting data? If this were school, they’d be close to failing, said Tom Arnold, a partner at PSC, a consulting firm that secures merchants’ payment systems. PSC gives each merchant an initial security score.

“The average score first time out is around 52 percent,” he said. “The level of awareness and general concern is up and there is a sense of urgency regarding the protection of information, but the scorecard suggests the effectiveness is still about a ‘D’ in anybody’s book.”

So far this year, companies and public agencies have announced 110 cases of stolen or lost data potentially affecting 56.3 million people, according to the ID Theft Resource Center, a nonprofit advocacy and research group.

It’s unclear how much fraud results from data breaches, and no one knows how much identity theft is due to businesses’ lax security versus consumers’ judgment lapses; most victims never know how scammers filched their information.

For its part, MasterCard International says data breaches lead to about 6 percent of the credit-card fraud it encounters, while more traditional scams – such as credit-card skimmers used by restaurant workers or at an ATM, plus lost and stolen cards – are a bigger problem, according to Chris Thom, chief risk officer at the company, in Purchase, N.Y.

$5 billion hit

Identity theft and credit-card fraud strike an estimated 10 million Americans each year, costing them $5 billion, and slamming U.S. businesses with a tab of $50 billion, according to an FTC survey from 2003. Consultants say that figure could be considerably understated as that survey does not count fraud by scammers who, instead of filching someone else’s identity, defraud companies by creating entirely new identities.

Consumers must always be wary. Those who fall for an e-mail scam seeking account passwords set themselves up for trouble, and surveys show that family and friends also play a part in stealing individuals’ data. But there’s no doubt high-level fraudsters prefer bigger fish.

No company is immune.

“Every company has employment files, benefits files, corporate-credit-card files,” said Chris Marquet, Boston-based senior managing director at Vance, a global risk-analysis firm near Washington.

“There are statutory requirements to protect it (and) everybody has a stated policy,” he said. “The question is: Are we actually following those policies day to day? That’s often the weak link in any given fraud. People are circumventing the controls that are in place.”

One frequent weak link: Employees. Given the wealth of data socked away in computers just one disgruntled worker can wreak havoc.

No place to hide

Firms face threats from all sides. Computer systems need protecting, as do garbage cans. Credit-granting firms must verify consumers’ identity to prevent fraud, while companies that sell data must ensure their business customers are legitimate.

ChoicePoint, the data broker near Atlanta, made the mistake of selling data on 145,000 consumers to fraudsters posing as business owners. The company says it has since put measures in place to address the issue.

Data theft is not new, but it’s being spurred by the Internet and global nature of business.

Alan Brill, senior managing director at Kroll Ontrack, a technology-services subsidiary of Kroll Inc., the global risk-consulting firm, said he has been investigating database breaches for years. But the problem has escalated recently.

“It just wasn’t happening in a way that was causing great pain to the taxpayer or to the public,” he said. “As our society has become more online oriented, the ability to use this misgotten information has grown exponentially, and the fact that this purloined data can be used globally and almost instantaneously has raised the stakes significantly.”

Meanwhile, industry consultants say media attention on data breaches at ChoicePoint, CardSystems – a third-party processor that lost information on 40 million credit cards earlier this year – and elsewhere is spurring greater awareness.

“We’ve seen a good doubling in the calls that have come in since CardSystems,” Arnold, of PSC, said. Now, “there’s more recognition that ‘hey, my brand’s at risk.’ “