According to Risk Based Security’s Q3 2019 Data Breach QuickView Report, the total number of breaches was up 33.3% compared to Q3 2018, with 5,183 breaches reported in the first nine months of 2019.
Number of breaches by attack vector, reported by 9/30/19
Breach activity in 2019
Breach activity in 2019 is living up to being “the worst year on record”. Although the total number of breaches is on track to break previous year records, the total number of records exposed has already surpassed the 2017 year end total. 7.9 billion records have already been exposed and we are on track to reach as high as 8.5 billion.
“As we look over the experience of 2019, what stands out is that we are often our own worst enemy” commented Inga Goddijn, Executive Vice President at Risk Based Security. “Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year.”
Most breached organization type
The Q3 2019 Data Breach QuickView Report covers the data breaches reported between January 1st and September 30th, 2019.
Key findings state that by NAICS economic sector, medical services, retailers and public entities experienced the most breaches, but when all business-related sectors are combined, general business remains the most breached organization type. Looking further into data breach landscape, hacking remains the top breach type for number of incidents while Web has exposed the most records this year.
“This year over 6 billion records have been made freely accessible thanks to misconfigured databases, backups, end points, and services,” said Goddijn. “The widespread availability of tools useful for identifying such leaks coupled with an interest in reporting – as well as taking advantage of – these exposures has fueled the growth in the number of records compromised.”
Number of breaches by global location, reported by 9/30/19
How can organizations protect themselves?
With the number of publicly disclosed events showing no signs of slowing, researchers ask whether efforts should focus on minimizing a breach’s impact rather than on prevention alone.
Ms. Goddijn concludes, “We are often asked ‘what should be done to stop this’ but perhaps the better question is ‘what can be done to minimize the impact’. If we accept the axiom ‘it’s not a matter of if, but when’ an organization will be breached – then solely focusing on prevention is not the solution. A vibrant risk management strategy coupled with incident response planning can go a long way towards minimizing the damage that can come from a security event.”