Over 6,500 data breaches were reported, exposing some 5 billion records, in 2018, according to Risk Based Security report on data breach statistics..
Although staggering, this number represents a subtle 3.2% decline from the 6,728 breaches that were reported in 2017; making 2018 the second most active year for data breaches on record.
It’s been an unusual year for breach activity
Inga Goddjin – Executive Vice President of Risk Based Security
Unsurprisingly, the ten largest breaches of the year accounted for approximately 3.6 billion of the exposed records, representing 70% of the total 5 billion records. Organizations which disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels and Quora. To put it into perspective, the vast majority of data breaches exposed the personal records of 10,000 or less in comparison to the top 12 breaches which exposed at least 100,000 million per breach.
Risk Based Security’s analysis shows that financial services companies, technology firms, retailers, restaurants, hotels and other business were responsible for two thirds of the reported breaches. The medical and educational sectors, which are often criticized for having the weakest security, ironically, exposed a combined total of less than 10 million records. Whether that is due to the chosen target of hackers, or a difference in overall security posture is unclear.
In terms of personal data exposed, over 60% of breaches exposed emails, and approximately 57% included passwords. The proportion of breaches that exposed Social Security Numbers and credit card numbers, was comparatively smaller coming in at 13.9% and 12.3%, respectively.
The Risk Based Security report shows that hacking by malicious entities remained the cause for the greatest proportion of data breaches at just over 57%. Web breaches, including those resulting from the intrusions and data made publicly accessible via search engines comprised 39% of data breaches, however, they exposed more records. In terms of internal breaches, whether accidental, malicious or negligent in cause accounted for around 14% of all breaches in 2018.
Breach Disclosure Lag Sees No Improvement
A surprising piece of data revealed in the report was that time organizations take from breach discovery to disclosure, this comes as a surprise to many as the implementation of the European Union’s GDPR and Canada’s PIPEDA regulations was expected to put pressure on organizations to improve their breach disclose times. Goodjin suggests that the reason for this could simply be a matter of reaching a plateau, being that it takes around two to three weeks to conduct a full-scale investigation to determine the analytics, and another two to three weeks to work up the preparation and subsequent release of notification.
Source of Discovery Disappointment
One important piece of information gathered from the report is that over 70% of organizations that disclosed a data breach, in 2018, learned of the event through an external third party. In contrast, of the 6,500 disclosed breaches, only 680 of them were discovered by internal sources. This data should be quite alarming to organizations, of all sizes, who rely an internal team of “security experts” to ensure the security of their customers personal data. Further, Goddjin comments “Our assumption is that organization that are better able to detect a breach will also be better positioned to respond.”
Goddijn concluded, “overall, we’re encouraged by the results from 2018. The number of records exposed did come down about 36% compared to last year and while the number of breaches is still quite high, we did not see a repeat of widespread events like WannaCry and Petya/NotPetya. After year upon year of bad news, we’ll take improvement where it can be found.”
In summary, although the number of disclosed breaches is down in comparison to last year, the breach disclosure lag and source of discovery should be a red flag to a majority of organizations that their current data security regimen leaves much room for improvement.
Penetration Testing dramatically reduces the potential for a breach.
At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.