The number of reported breaches has gone up by 54% and the number of exposed records by 52% compared to the first six months of 2018 according to the 2019 MidYear QuickView Data Breach Report, released by Risk Based Security.
The research shows that eight breaches reported within Q1 and Q2 of 2019 accounted for 3.2 billion records exposed; three of these being among the largest breaches of all time.
“Looking over the first six months of 2019, it is hard to be optimistic on the outlook for the year,” commented Inga Goddijn, Executive Vice President of Risk Based Security. “The number of breaches is up and the number of records exposed remains stubbornly high. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate.”
The MidYear QuickView Data Breach Report tracks publicly disclosed breaches and records exposed within 2019 so far. The key findings state that The Business Sector accounted for 67% of reported breaches, which continues the trend observed in the Q1 2019 report. From these breaches, further analysis states that The Business Sector was then responsible for 84.6% of records exposed.
When asked about her observations on this activity, Ms. Goddijn commented, “Quarter after quarter the pattern has repeated itself. The vast majority of incidents are attributable to malicious actors outside an organization. Unauthorized access of systems or services, skimmers and exposure of sensitive data on the Internet have been the top three breach types since January of 2018. However, insider actions, both malicious and accidental, have driven the number of records exposed.”
Unauthorized access of systems or services, referred to as hacking in the report, is still the number one breach type with phishing being a tried and true first step for gaining access to systems and services. Interestingly enough, phishing for credentials often leads to providing attackers with access to users’ email accounts.
While the data held in email may not be as easily monetized as other datasets, it does lead to the exposure of unusual or unexpected types of data. Some of the more unusual data elements exposed this year include electronic signatures, calendars, marriage certificates, and company issued employee ID numbers.
Ms. Goddijn concluded, “While the landscape does look bleak, we have seen bright spots this year. Some organizations are choosing to report incidents that might have gone unreported in the past. The most recent example of this came up just a few days ago, when Monzo Bank opted to report customers’ account PINs being inadvertently stored in internal logs that were accessible to their engineering teams. Once the issue was identified, the bank had it corrected and disclosed within 5 days. A breach is rarely good news but a fast response coupled with open communication speaks well of the organization. We hope to see more organizations following Monzo’s lead as the year unfolds.”