Attacks/Breaches

9/20/2017
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

1.9 Billion Data Records Exposed in First Half of 2017

Every second, 122 records are exposed in breaches around the globe, a new report shows. And that's doesn't even include the new Equifax breach data.

More than 10 million data records are pilfered or lost every day around the world, a rate of more than 7,000 per minute: and that's only the numbers from breaches that go public.

Some 1.9 billion data records were exposed in breaches in the first half of this year, a dramatic increase of 164% from the second half of 2016, according to the Breach Level Index for the first half of 2017, compiled by Gemalto.

"It blows me away at this moment that every single day, more than 10 million pieces of data are exposed," says Jason Hart, vice president and CTO for data protection at Gemalto.

If you (rightfully) think those numbers are dire, just wait until after the General Data Protection Regulation (GDPR) kicks in next year and European organizations are required to report breaches of information that previously may have been kept under wraps.

"With GDPR kicking in next year in Europe, you'll have noticeable data breach" reporting increases, Hart notes. "This is just a drop in the ocean compared to what we're going to see."

Gemalto's midyear report crunches data from all publicly disclosed data breaches around the globe. There were a total of 918 data breaches reported, and more than 500 of those involved an unknown number of compromised accounts, so the full number of exposed records for the first half is actually not available. The company has counted more than 9 billion exposed data records from breaches since 2013 when it first began its Breach Level Index.

The report does not include the most recent big data breach revelation from Equifax.

Personally identifiable information, payment card data, financial data, and medical information were among the types of information exposed in the breaches. Nearly three-fourths of the breaches involved exposure of data that could be used for identity theft, and 74% came from outside attackers, an increase of 23% from last year. Just under 20% were the result of internal inadvertent data loss or exposure.

Encryption remains a missing link for protecting data: less than 1% of the exposed data in the first half of 2017 was encrypted. That's actually a decline of 4% in encryption from the last half of 2016. Overall, 42 of the publicly revealed breaches in the first half of 2017 involved data that was either fully or partially encrypted, which kept the data secured and useless to attackers.

"The annoying thing from my point of view is people just think by applying privacy controls, they are going to solve the problem" of breaches, Hart says. "It's not. That's a false sense of security. Security should be closest to the actual data" you're trying to protect, he says.

The education sector experienced a 103% increase in breaches and a 4,000% jump in the number of resulting exposed data records. That was mostly due to a major insider breach at a Chinese private educational firm earlier this year.

Healthcare suffered the highest number of breaches (228) worldwide, accounting for one-fourth of all such incidents.

Geographically, North America ranked at the top for the number of breaches and exposed data records, with more than 86% of the share in both cases. Breaches there were up 23% and the number of records, up 201%, according to the Breach Level Index.

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mjohnson681
50%
50%
mjohnson681,
User Rank: Apprentice
9/24/2017 | 3:16:32 PM
Make Data Records Worthless for Bad Guys
Instead of trying to continue to unsuccessfully protect data, why not implement sufficient controls to make the data worthless for the bad guys?  See post on LinkedIn.

https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/21/2017 | 9:13:31 AM
Re: A post-privacy world
Rule of Life - your data is ALREADY exposed.  From there, you can proceed to at least control of the type of data your have the world SEE.  I am against SS numbers as identifiers and shut down that practice is a good thing.  Keep any financially significant data OFFLINE as much as you canl.  (I mean on secondary hard drives turned OFF and not spinning.)  Passwords - complex, change frequently.  Monitor documents.  But assume you are already exposed and work from there.
MetLife-dams
50%
50%
MetLife-dams,
User Rank: Apprentice
9/21/2017 | 8:27:58 AM
Re: A post-privacy world
You're totally right, the privacy is already gone. These kind of situation will increase more and more with the time.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/20/2017 | 3:00:44 PM
Re: A post-privacy world
The data is certainly discouraging,  especially knowing this doesn't include Equifax nor unreported breaches in Europe, pre-GDPR. The common theme among most of these breaches is a failure in basic security hygeine. 
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
9/20/2017 | 2:30:20 PM
A post-privacy world
It's time to think about how we live and participate in the global financial system with the knowledge that data elements you dutifully protected are now out of control and released.  Your personal data and details are out there.  It's the end of privacy as we know it.  The breaches that this article describes are merely the ones that we know about.  Many/most other companies are or have been owned.  Identification and auhorization need to make a quantum leap in positivity.  Do we submit to chip implantation or choose to live off the financial grid? 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.
CVE-2018-17322
PUBLISHED: 2018-09-22
Cross-site scripting (XSS) vulnerability in index.php/index/category/index in YUNUCMS 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the area parameter.
CVE-2018-14889
PUBLISHED: 2018-09-21
CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability.
CVE-2018-14890
PUBLISHED: 2018-09-21
Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console.
CVE-2018-14891
PUBLISHED: 2018-09-21
Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability.