Since 2005, the Identity Theft Resource Center® (ITRC) has been tracking security breaches, looking for patterns, new trends and any information to help consumers and businesses understand the value of protecting personal identifying information.
Last week, the ITRC® and CyberScout’s 2017 Annual Data Breach Year-End Review was released, revealing that the number of U.S. data breaches in 2017 hit a new record high of 1,579, with over 178 million records exposed. That averages about four data breaches a day for 2017, a drastic overall increase of 44.7% over 2016’s reported figures.
Report Findings by Sector
The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. The statistics provided within the report are broken down by industry sector – business, banking/credit/financial, educational, government/military and medical/healthcare – as well as by the data loss methods (malware, hacking, skimming, phishing, accidental) used within a breach.
Of the five industry sectors that the ITRC tracks, the business category again topped the ITRC’s data breach list for the third year in a row, with 55% of the overall total number of breaches (870), and a record-high number of records exposed at 163,449,242.
The business category covers various types of organizations, encompassing retail services, hospitality and tourism, professional, trade, transportation, utilities, payment processors, nonprofit organizations, industry associations, non-government social service providers, as well as life insurance companies and insurance brokers (non-medical).
If you look at some of the largest breaches to date – Yahoo, Equifax, Target, Home Depot – the business sector does indeed seem to be hit the hardest. So it comes as no surprise that this marks the eighth time since ITRC’s 2005 report that the number of breaches for this sector has surpassed all other industries.
“Year after year we continue to use the Annual Data Breach Year-End Review as a tool to further glean trends about the state of data breaches, or to confirm what we already know about them,” said Matt Cullina, CEO of CyberScout. “With the business sector being strongly impacted, now more than ever it’s important for organizations of all sizes to not only be prepared for a data breach, but to also be taking proactive steps to plan for the inevitability.”
The medical/healthcare industry, another lucrative and frequent target for hackers – due to outdated networks and troves of stored patient data that, once stolen, bring a high price on the black market – followed in second place with 23.7% of the overall 2017 breaches (374).
The banking/credit/financial sector rounds out the top three with 8.5% of the overall total (134), with educational and government/military representing 8% and 4.7% respectively.
Hacking Reigns Supreme as Method of Attack
The ITRC year-end report looked at seven different types of attacks used in breaches, including hacking – with subcategories of phishing, ransomware/malware and skimming – unauthorized access, insider theft, data on the move, accidental exposure, employee error/negligence/improper disposal/loss, and physical theft.
Of the attacks studied, hacking once again ranked the highest, with 59.4% of the breaches in 2017, an increase of 3.2% over 2016 figures.
ITRC’s report points out that the method of attack hackers used to expose data is a critical factor when determining the level of harm potentially associated with a data breach. ITRC shows that of the 940 breaches attributed to hacking for 2017, 21.4% involved phishing and 12.4% involved ransomware/malware.
It seems that all types of hacking can work hand-in-hand together to wreak additional havoc on their victims. Phishing scams are often the first in a chain of events, creating the initial “foothold,” which then leads to other actions by cybercriminals that ultimately grant them access to the valuable data they are seeking to steal.
Verizon’s 2017 Data Breach Investigations Report (DBIR) indicated that a whopping 95% of phishing attacks that led to a breach were followed by an installation of malware, and that 66% of malware or other incidents (ransomware) was installed via infected email attachments.
Common Threads and Concerns
ITRC makes some notable points in their summary, stating that although data breaches are not all alike, they share two common themes.
“Security breaches can be broken down into a number of additional sub-categories by what happened and what information (data) was exposed. What they all have in common is they usually contain personal identifying information (PII) in a format easily read by thieves, in other words, not encrypted.”
And as businesses struggle to maintain and protect sensitive data, consumers are watching both the attitude and security practices organization take with caution and decreased confidence.
A recent study from Gemalto surveyed over 10,000 consumers worldwide and reported that the majority (69%) believe enterprises are not taking the responsibility of securing customer data very seriously, while 70% stated they would stop doing business with an organization if it experienced a data breach.
Concern among consumers is high. Two-thirds (67 percent) of consumers fear that they will fall victim to a data breach in the future, and they know who they’ll blame if their personal information is stolen; sixty-two percent of consumers believe that companies are primarily responsible for the security of their information, and an overwhelming 93 percent of consumers said they would take or consider taking legal action against an enterprise that has been breached.
In response, and with the dawn of GDPR and other data regulations approaching, businesses will soon likely be forcing stronger security practices. The time when these solutions were simply offered as an option is coming to a close as companies face the prospect of getting sued by consumers.
Hopefully, 2018 will prove to be the year when organizations implement security solutions to encrypt, protect and secure consumer data. Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) solutions devalue the data, encrypting credit and debit card information at the Point of Interaction (POI) and preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.