US Data Breaches Hit All-Time High

Millions of Payment Cards and Social Security Numbers Exposed

What do AetnaAnthemChipotleDow JonesEquifaxForever 21Hyatt HotelsKmartSabreTrump HotelsVeriFoneVerizon and Whole Foods Market have in common?

All suffered and disclosed a data breach in 2017. And they weren’t the only ones.

In fact, the Identity Theft Resource Center, a U.S. non-profit organization set up to help ID theft victims, reports that in 2017, the number of U.S. data breaches reached an all-time high.

In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn’t reflect every U.S. data breach last year. Rather, it’s a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states, if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).

In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn’t reflect every U.S. data breach last year. Rather, it’s a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).

Hardest Hit: Business Sector

A new report from ITRC, sponsored by identity theft monitoring service CyberScout, finds that out of all 1,579 breaches, most hit the business sector:

  • Business: 55 percent;
  • Medical/healthcare: 24 percent;
  • Banking/credit/financial: 9 percent;
  • Education: 8 percent;
  • Government/military: 5 percent. 

Top Breach Vector: Hacking

Most breaches were the result of hack attacks, ITRC’s research determined.

Here’s a breakdown of how the information got exposed in 2017:

  • Hacking: 60 percent, including phishing (21 percent), malware/ransomware (12 percent) and skimming (2 percent);
  • Unauthorized access: 11 percent; ITRC says this category involves “some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking”;
  • Employee error, negligence, improper disposal or loss: 10 percent;
  • Subcontractor, third party or business associate: 8 percent;
  • Accidental exposure: 6 percent;
  • Insider theft: 5 percent;
  • Physical theft: 5 percent;
  • Data on the move: 2 percent.

 

Caveat: 37 percent of breach notifications fail to quantify the number of records - such as Social Security numbers and payment card data - that was exposed, ITRC reports.

Still, that’s an improvement from previous years, Eva Velasquez, ITRC’s president and CEO tells Information Security Media Group. “It is getting better,” she says. “We’re seeing more transparency from companies, including the actual number of records impacted.” In 2017, 13.7 percent more organizations released such information than did so in 2016.

More Information: Better

In general, releasing more details to victims is always better. “Understanding the type of personal information that has been exposed is absolutely critical for affected consumers,” says Karen Barney, the ITRC’s director of program support (see Data Breach Notifications: What’s Optimal Timing?).

“While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks,” Barney says.

This article is by Mathew J. Schwartz and originally appeared on databreachtoday.com  

Pulling the plug doesn't have to be your only security solution.

Don’t become part of a rising statistic — ensure your company is armed against a security hack.
Share This