Once again, the record has been broken for both the most breaches and the most data compromised in a year. There were 5,207 breaches recorded last year, surpassing 2015’s previous high mark by nearly 20%, according to the 2017 Data Breach QuickView Report by Risk Based Security.
The number of records compromised also surpassed all other years with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.
“The level of breach activity this year was disheartening”, commented Inga Goddijn, Executive VP for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18th came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”
Record number of exposed records
In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, breach type Web – which is largely comprised of accidentally exposing sensitive data to the Internet – took over the top spot compromising 68.8% or 5.4 billion records.
Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the number two spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.
“We’re seeing a lot of interest in calling out organizations that mishandle sensitive data”, said Ms Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”
A prime example of this is the August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately the letter shop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information.
The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million in order to settle the various proceedings. While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action.
Types of breaches
Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728 or 18.6%, were discovered by the organization responsible for protecting the data.
The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers, or unrelated parties including disclosure by the malicious actors themselves. While there is not a direct correlation between discovery method and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization.