There were 6,515 publicly disclosed data compromise events through December 31, 2018, exposing over 5 billion sensitive records, according to Risk Based Security’s Year End 2018 Data Breach QuickView Report.
While the year ended below 2017’s high mark of 6,728 reported breaches, a slow trickle of new breach information continues and may end up placing 2018 in the top spot.
“It’s been an unusual year for breach activity,” commented Inga Goddijn, Executive Vice President of Risk Based Security. “We’ve been monitoring breach events for more than a dozen years now and this is the first time we’ve observed a slow start to the year following by a growing number of disclosures as the months pass. We suspect various factors including the allure of crypto mining had an impact on breach activity early in the year, but disclosures rebounded throughout the summer and into the last quarter.”
Following on the theme of disclosure, this year the Data Breach Quick View Reports have been examining the average number of days between breach discovery and reporting.
Ms. Goddijn said of the work, “we were curious to see if the GDPR would have a discernible impact on how long it takes for an organization to go public with a breach report.” Curiously, the average number of days between discovery and disclosure has been approximately 49 days for the past two years. Ms. Goddijn commented, “From 2014 until 2017, the average number of days had been declining. We assumed awareness of GDPR reporting requirements would put pressure on organizations to continue to close the gap. So it was surprising to see 2018 end at an average of 49.6 days, slightly above 2017’s average of 48.6 days.”
One possible reason for the lack of improvement is the different obligations and timelines that apply for notifying regulators of a breach versus notifying individuals at risk of harm. It is worthwhile to keep in mind that while much has been said about the GDPR’s 72-hour window for reporting a breach to regulators, individuals need only be notified if there is a high risk of harm.
What’s more, if the notification to individuals is triggered, the notice must be made without unreasonable delay rather than within a specified number of days. As is evident from recent reports, this can generate a significant number of disclosures to regulators – ranging from minor data handling errors to serious data compromise events – but not necessarily impact the number of breaches that actually see the light of day.
Ms. Goddijn concluded, “Overall, we’re encouraged by the results from 2018. The number of records exposed did come down about 36% compared to last year and while the number of breaches is still quite high, we did not see a repeat of widespread events like WannaCry and Petya/NotPetya. After year upon year of bad news, we’ll take improvement where it can be found.”