Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/4/2019
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Exposed Consumer Data Skyrocketed 126% in 2018

The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.

Good news: The number of data breaches reported in 2018 dropped 23% compared with 2017. Bad news: The number of sensitive consumer records exposed increased 126% year-over-year.

The data comes from the Identity Theft Resource Center (ITRC), which has been tracking publicly available breach disclosures and reporting on trends since 2005 alongside sponsor CyberScout. Its "2018 End-of-Year Data Breach Report" reflects severe compromise of sensitive consumer data and the methods with which cybercriminals now access personal information.

There were 1,244 breaches reported in 2018, marking a 23% drop from the year prior. But the reported number of consumer records containing personally identifiable information (PII) significantly increased from 197.6 million to 446.5 million – a 126% jump. ITRC notes the actual total number of records exposed is likely higher, given that only half of reported breaches disclose the number.

Sensitive PII wasn't the only type of data tracked for this year's report. The number of non-sensitive records (email addresses, passwords, usernames) exposed in data breaches amounted to an additional 1.68 billion compromised records exposed in only 37 of 1,244 incidents.

The lowest rate of exposure was in the business sector, which was hit with the most data breaches (571) but had the smallest amount of data compromised in each. Healthcare had the second-highest number of breaches (363) but had the highest rate of exposure at 9.92 million records total.

The ITRC's team took a look at the decline in breaches versus amount of information exposed and determined the explanation is twofold. First, businesses are creating more data troves, placing larger amounts of user-submitted data into on-prem and cloud-based stores. At the same time, attackers are scouring the Web for massive data sets, which makes it easier to achieve their goals.

The more data an attacker has on a victim, the easier it is to assume the person's identity, an ITRC spokesperson explains. If one vulnerable account grants access to birthdates, home and email addresses, Social Security numbers, and driver's license data, an attacker stops looking. Savvy hackers will take usernames and passwords and try to credential crack into more online accounts, where they could potentially access financial data, shopping history, or travel plans.

How They're Breaking In
Hacking was the most common breach tactic in 2018, seen in 482 data breaches. Considering the different types of breaches, it led to the third-highest exposure of data (16.7 million consumer records). In 2017 hacking was the most popular type of breach, as seen in 956 breaches, and ranked first for records exposed (168 million in total).

Unauthorized access was the second most common form of attack in 2018, when it led to 377 data breaches and exposed the most records, at 404 million. Accidental exposure was the cause behind 114 data breaches and ranked second for the total number of records exposed (22 million).

Other sources of data compromise included employee error/negligence/improper disposal, which made up 12% of 2018 incidents, insider theft (4%), and data on the move (2%).

The Big Ones
In a year when data breaches were day-to-day occurrences, some incidents stood out, ITRC researchers report.

The Marriott breach, for example, had the highest number of reported records exposed, with 383 million people affected worldwide. Google Plus was also attacked; 53 million people were affected, and the service was shut down. A major Facebook breach let hackers grab 50 million account tokens.

Some of 2018's biggest attacks involved social media platforms or community-based apps. Facebook, also affected by the Cambridge Analytica scandal, was the most notable compromised company. Cyberattacks also hit MyFitnessPal (150 million victims) and Quora (100 million victims), giving hackers access to usernames, email addresses, passwords, and fitness data.

The travel sector also saw its fair share of cyberattacks. Cathay Pacific, a major Hong Kong-based airline, disclosed a breach affecting 9.4 million passengers – the largest of any airline to date. Radisson Rewards notified customers of a breach when members of its programs were compromised in an incident, and Delta Airlines disclosed a major breach as well.

What You Can Do
The ITRC advises reconsidering the data you request from consumers and only ask for information necessary to run your business. If you run a bakery, do you need a driver's license number? Probably not.

Following the publication of the ITRC's 2018 report, security experts also weighed in to share best practices for securing consumer data. Anthony James, chief strategy officer at CipherCloud, urges companies to encrypt personal information in all machines and networks, including on-premise and SaaS-based applications, as well as custom IaaS-based applications.

"Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption," he says. "These are the new skirmish lines for cyberattacks, especially within the cloud where you're most vulnerable."

Colin Bastable, CEO of Lucy Security, points to the additional risk of working with third parties. The fewer moving parts involved with handling users' data, the safer their information is. For example, using Google or Facebook as a login intermediary puts people at chronic risk.

"By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blindsided," he says. "You reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised." Many business cloud applications use APIs to integrate with systems, and each connection drives the risk of hacking.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
2/14/2019 | 2:11:44 AM
Who is responsible?
The crux here is that people need to start to be more responsible about their own security. We cannot expect the computer and tech companies to have everything in place. I mean, we can probably impose such expectations on the whole industry, but at the end of the day, when the information gets leaked or tapped, who is the one that suffers? That's where the onus lies right?
PaulChau
50%
50%
PaulChau,
User Rank: Apprentice
2/13/2019 | 2:59:04 AM
Security lapses worrying
It is happening everywhere around the world and it is a very scary situation. As a layman, obviously the level of panic inflicted upon myself is relatively much lesser than that of an important figure. However, the lax security is what worries me and obviously other users as well especially when financial matters are concerned.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17223
PUBLISHED: 2019-10-15
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...