Fewer Breaches in 2018, But More Sensitive Data SpilledBusiness and Healthcare Sectors Suffered Most US Breaches, ITRC Finds
See Also: The Evolution of Email Security
All suffered a data breach that they first disclosed in 2018.
In 2018, the Identity Theft Resource Center, a nonprofit organization that provides no-cost assistance to identity theft victims to help resolve their cases, counted 1,244 U.S. breaches, down 23 percent from 2017, according to a new report, sponsored by CyberScout. The report provides a deep dive into last year's U.S. data breach disclosures (see: US Data Breaches Hit All-Time High).
But the ITRC's count doesn't include every U.S. data breach from last year. Rather, it counts every data breach notification that an organization was legally required to issue to state residents or authorities if it suspected that people's personal information had been exposed.
All told, 8 percent of all organizations that issued a data breach notification in 2018 said the incident resulted from the breach of a subcontractor or third party.
For the whole of 2018, ITRC counted 446.5 million exposed sensitive records, which was an increase of 126 percent from 2017. Sensitive records may include Social Security numbers, dates of birth, medical diagnoses, payment card information and other types of data that trigger states' mandatory data breach notification requirements.
"The increased exposure of sensitive consumer data is serious," says Eva Velasquez, the ITRC's president and CEO. "Never has there been more information out there putting consumers in harm's way."
Organizations also exposed 1.68 billion records of what ITRC classifies as being of a non-sensitive nature, including email addresses, usernames and passwords.
Arguably, breaches have gotten so bad that it's not clear if any new breach is putting individuals at any greater risk, given the amount of personal data that's already being bought and sold on cybercrime forums. "Every American person should assume all of their data is out there," Elvis Chan, a supervisory special agent with the FBI who specializes in investigating cybercrime, told the Wall Street Journal late last year (see: Congratulations: You Get 'Free' Identity Theft Monitoring).
Marriott Leads the Pack
Last year, in terms of the industries that suffered the greatest number of breaches, the business sector led by a clear margin, followed by healthcare, financial services, government/military and education, according to the report. Looking at the quantity of sensitive records that were exposed, the business sector was worst, followed by healthcare.
2018 Data Breach Category Summary
The organization that reported the most number of exposed records was Marriott International. In November 2018, the hotel giant said it had suffered a breach that began in 2014 with hackers accessing the reservation database used by Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Warning: Actual Numbers Are Worse
The ITRC warns that "the actual total number of exposed records likely exceeds the reported number substantially," because its report is only based on what organizations have disclosed.
It's not clear how many organizations might fail to report - or fully investigate - breaches that may have exposed sensitive data (see: Yahoo's Proposed Data Breach Lawsuit Settlement: Rejected).
In addition, some breach reports are more informative than others. "Only half of the total number of breaches reported by the Identity Theft Resource Center in 2018 reported the number of records exposed," the organization says. "It's important to note that when the reporting entity does not provide the number of records exposed ... we do not include an educated guess or 'possible' number of records, to ensure that we're providing the best data quality."
Top Data Compromise Causes
ITRC says there were three top causes of data compromises in 2018:
- Hacking: 482 data breaches that exposed 16 million consumer records were blamed on hacking or computer intrusion, including phishing, ransomware or malware, and skimming;
- Unauthorized access: Listed as the cause of 377 data breaches, exposing 404 million records;
- Accidental exposure: Blamed for 114 breaches, exposing 22 million records.
Beyond the above three causes of data compromises, four other causes that ITRC also tracks were less common. Those causes are data on the move, physical theft, employee error and negligence - including improper disposal or loss in general - as well as accidental exposure of information to the internet.
Beyond 'Unauthorized Access'
For 2019, ITRC says it's trying to get more clarity on what organizations mean when they say "unauthorized access," saying that this catch-all "is not an accurate reflection of the true method of intrusion and doesn't provide stakeholders with the necessary data needed to make informed decisions on remediation."
The organization has called on breached businesses to be more transparent about exactly what types of data were exposed, so that it can tell victims how to best respond (see: Data Breach Notifications: What's Optimal Timing?).
"Companies need to be more transparent and granular with their disclosures," ITRC says. "When breach notification letters simply list the compromised data as 'Employee records,' 'XXXX' or even just 'Other' - these examples have been taken from actual notifications we reviewed this year - we cannot provide the affected consumers the action plans they need and deserve because we cannot assess what their true risk is."