Many of the sites can be found using the Internet Relay Chat program that is similar to MSN Messenger or AOL's Instant Messenger software. Simply search for "#cc" and hundreds of websites will pop up.

"I have valid CC (credit card) and bank loggins (sic)," bragged one person asking to be contacted by interested parties.

"Anyone interested in buying operative USA, UK & Canada CC with billing info and CVV (a credit card security number): harvesting--tomyahoo.ca.

"Reasonable prices," said another.

Symantec, the company responsible for the popular Norton Anti-Virus program, says it monitors many of these Internet properties to better understand the identity-theft issue.

The findings are part of a 120-page semi-annual report on online security issues and threats. The report focuses on problems that emerged during the last six months of 2006.

"Bad guys have a tendency to want to brag a bit," said Dean Turner, executive editor of the report.

"All of the information we gather is in public Internet Relay Chat servers. ... They are filled with lots and lots of people."

An individual's credit card information, by itself, will sell for $1 to $6 US in any of these chat rooms, Turner said. An entire identity can be bought for as little as $18 US ($21 Cdn).

What could be even more disturbing is where the personal information comes from. According to Symantec, governments were responsible for as much as 25 per cent of all leaked information .

The second- and third-biggest contributors to data loss are the health-care industry (20 per cent) and educational institutions (14 per cent), Symantec says.

And most of the information isn't going to hackers who break into government computer systems. About 54 per cent of all data lost is just being carried out the door. Hacking accounts for only 13 per cent.

"The major cause is theft or loss ... stealing hard drives out of machines," Turner said.

With new methods of data storage, it's easy to walk into a government building and steal information, he said. Thumb drives and MP3 players are capable of copying files, while computer terminals in unsecured locations can be pried open by a thief who steals the hard drive and all of the information on it.

In 2003, he said, four computers containing confidential personal information on more than 120,000 citizens were stolen from the Canada Revenue Agency.

In January, a doctor at Toronto's Hospital for Sick Children lost a laptop containing the personal data of more than 2,900 patients. The incident prompted Ontario's privacy commissioner, Ann Cavoukian, to require encryption of all personal data before it is moved from an office setting.

"It is certainly something to be alarmed about," Turner said.

What's worse is that the amount of data loss may be even higher. Turner said governments, health-care facilities and educational institutions are required by law to report data breaches as soon as they occur. The private sector isn't bound by such rules.

In its report, Symantec urges governments and private businesses to require mandatory encryption of sensitive data. That way, even if the information is stolen, thieves won't be able to access it.

While there are no statistics on identity fraud, credit card fraud accounts for more than $300 million in losses every year, according to recent statistics from Visa Canada.

Symantec's report uses information it collected between July 1 and Dec. 31, 2006, from its offices in more than 180 countries and from some of the 120 million users of its security products.