Breach Notification , Data Breach

US Data Breaches Hit All-Time High

Millions of Payment Cards and Social Security Numbers Exposed
US Data Breaches Hit All-Time High
Data breaches by attack type. (Source: Identity Theft Resource Center)

What do Aetna, Anthem, Chipotle, Dow Jones, Equifax, Forever 21, Hyatt Hotels, Kmart, Sabre, Trump Hotels, VeriFone, Verizon and Whole Foods Market have in common?

See Also: Matching Application Security to Business Needs

All suffered and disclosed a data breach in 2017. And they weren't the only ones.

In fact, the Identity Theft Resource Center, a U.S. non-profit organization set up to help ID theft victims, reports that in 2017, the number of U.S. data breaches reached an all-time high.

Source: ITRC

In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn't reflect every U.S. data breach last year. Rather, it's a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states, if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).

Source: ITRC

Hardest Hit: Business Sector

A new report from ITRC, sponsored by identity theft monitoring service CyberScout, finds that out of all 1,579 breaches, most hit the business sector:

  • Business: 55 percent;
  • Medical/healthcare: 24 percent;
  • Banking/credit/financial: 9 percent;
  • Education: 8 percent;
  • Government/military: 5 percent.

Of the 179 million records exposed last year, nearly 158 million were Social Security numbers, accounting for 88 percent of all exposed records, according to ITRC. Nearly 20 percent of breaches resulted in credit and debit card information being exposed.

Source: ITRC

Top Breach Vector: Hacking

Most breaches were the result of hack attacks, ITRC's research determined.

Here's a breakdown of how information got exposed in 2017:

  • Hacking: 60 percent, including phishing (21 percent), malware/ransomware (12 percent) and skimming (2 percent);
  • Unauthorized access: 11 percent; ITRC says this category involves "some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking";
  • Employee error, negligence, improper disposal or loss: 10 percent;
  • Subcontractor, third party or business associate: 8 percent;
  • Accidental exposure: 6 percent;
  • Insider theft: 5 percent;
  • Physical theft: 5 percent;
  • Data on the move: 2 percent.
Source: ITRC

Caveat: 37 percent of breach notifications fail to quantify the number of records - such as Social Security numbers and payment card data - that was exposed, ITRC reports.

Still, that's an improvement from previous years, Eva Velasquez, ITRC's president and CEO tells Information Security Media Group. "It is getting better," she says. "We're seeing more transparency from companies, including the actual number of records impacted." In 2017, 13.7 percent more organizations released such information than did so in 2016.

More Information: Better

In general, releasing more details to victims is always better. "Understanding the type of personal information that has been exposed is absolutely critical for affected consumers," says Karen Barney, the ITRC's director of program support (see Data Breach Notifications: What's Optimal Timing?).

"While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks," Barney says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.