Over 5,200 Data Breaches Make 2017 An Exceptional Year For All The Wrong Reasons

Risk Based Security today announced the release of the 2017 Data Breach QuickView Report, showing that once again, the record has been broken for both the most breaches and the most data compromised in a year. There were 5,207 breaches recorded last year, surpassing 2015’s previous high mark by nearly 20%. The number of records compromised also surpassed all other years with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.

“The level of breach activity this year was disheartening”, commented Inga Goddijn, Executive Vice President for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18th came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”

The increased level of breach activity has been observed by the cyber insurance industry as well. Manny Cho, EVP at Risk Placement Services, a national insurance brokerage and sponsor of the Year End QuickView Report added, “the use of malware and ransomware such as WannaCry and NotPetya impacted companies and individuals across the globe. While large breaches continue to grab the headlines, SMEs are losing money and assets to hacker organizations every day thanks to increased phishing and spoofing attacks.”

In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, breach type Web – which is largely comprised of accidentally exposing sensitive data to the Internet – took over the top spot compromising 68.8% or 5.4 billion records. Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the number two spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.

“We’re seeing a lot of interest in calling out organizations that mishandle sensitive data”, said Ms Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”

A prime example of this is the August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately the lettershop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information. The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million in order to settle the various proceedings. While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action.

Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728 or 18.6%, were discovered by the organization responsible for protecting the data. The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers, or unrelated parties including disclosure by the malicious actors themselves. While there is not a direct correlation between discovery method and and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization.

Risk Based Security has been capturing and aggregating data breach events for well over a decade. The resulting wealth of breach data coupled with actionable security ratings for organizations has made Risk Based Security a leader in vendor risk management, cyber insurance and risk modeling. For more information, contact Risk Based Security at 855-RBS- RISK or visit www.riskbasedsecurity.com.

About the Data Breach QuickView Report

The Data Breach QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of breach activity disclosed in 2017. Contact Risk Based Security for any specific analysis of the 2017 data breaches of specific interest to your organization.

You can get your copy of the Year End 2017 Data Breach QuickView Report here:

Get The Year End Report