Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/20/2017
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

1.9 Billion Data Records Exposed in First Half of 2017

Every second, 122 records are exposed in breaches around the globe, a new report shows. And that's doesn't even include the new Equifax breach data.

More than 10 million data records are pilfered or lost every day around the world, a rate of more than 7,000 per minute: and that's only the numbers from breaches that go public.

Some 1.9 billion data records were exposed in breaches in the first half of this year, a dramatic increase of 164% from the second half of 2016, according to the Breach Level Index for the first half of 2017, compiled by Gemalto.

"It blows me away at this moment that every single day, more than 10 million pieces of data are exposed," says Jason Hart, vice president and CTO for data protection at Gemalto.

If you (rightfully) think those numbers are dire, just wait until after the General Data Protection Regulation (GDPR) kicks in next year and European organizations are required to report breaches of information that previously may have been kept under wraps.

"With GDPR kicking in next year in Europe, you'll have noticeable data breach" reporting increases, Hart notes. "This is just a drop in the ocean compared to what we're going to see."

Gemalto's midyear report crunches data from all publicly disclosed data breaches around the globe. There were a total of 918 data breaches reported, and more than 500 of those involved an unknown number of compromised accounts, so the full number of exposed records for the first half is actually not available. The company has counted more than 9 billion exposed data records from breaches since 2013 when it first began its Breach Level Index.

The report does not include the most recent big data breach revelation from Equifax.

Personally identifiable information, payment card data, financial data, and medical information were among the types of information exposed in the breaches. Nearly three-fourths of the breaches involved exposure of data that could be used for identity theft, and 74% came from outside attackers, an increase of 23% from last year. Just under 20% were the result of internal inadvertent data loss or exposure.

Encryption remains a missing link for protecting data: less than 1% of the exposed data in the first half of 2017 was encrypted. That's actually a decline of 4% in encryption from the last half of 2016. Overall, 42 of the publicly revealed breaches in the first half of 2017 involved data that was either fully or partially encrypted, which kept the data secured and useless to attackers.

"The annoying thing from my point of view is people just think by applying privacy controls, they are going to solve the problem" of breaches, Hart says. "It's not. That's a false sense of security. Security should be closest to the actual data" you're trying to protect, he says.

The education sector experienced a 103% increase in breaches and a 4,000% jump in the number of resulting exposed data records. That was mostly due to a major insider breach at a Chinese private educational firm earlier this year.

Healthcare suffered the highest number of breaches (228) worldwide, accounting for one-fourth of all such incidents.

Geographically, North America ranked at the top for the number of breaches and exposed data records, with more than 86% of the share in both cases. Breaches there were up 23% and the number of records, up 201%, according to the Breach Level Index.

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mjohnson681
50%
50%
mjohnson681,
User Rank: Apprentice
9/24/2017 | 3:16:32 PM
Make Data Records Worthless for Bad Guys
Instead of trying to continue to unsuccessfully protect data, why not implement sufficient controls to make the data worthless for the bad guys?  See post on LinkedIn.

https://www.linkedin.com/pulse/give-up-cybersecurity-programs-matthew-r-johnson-cpa-cisa
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/21/2017 | 9:13:31 AM
Re: A post-privacy world
Rule of Life - your data is ALREADY exposed.  From there, you can proceed to at least control of the type of data your have the world SEE.  I am against SS numbers as identifiers and shut down that practice is a good thing.  Keep any financially significant data OFFLINE as much as you canl.  (I mean on secondary hard drives turned OFF and not spinning.)  Passwords - complex, change frequently.  Monitor documents.  But assume you are already exposed and work from there.
MetLife-dams
50%
50%
MetLife-dams,
User Rank: Apprentice
9/21/2017 | 8:27:58 AM
Re: A post-privacy world
You're totally right, the privacy is already gone. These kind of situation will increase more and more with the time.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/20/2017 | 3:00:44 PM
Re: A post-privacy world
The data is certainly discouraging,  especially knowing this doesn't include Equifax nor unreported breaches in Europe, pre-GDPR. The common theme among most of these breaches is a failure in basic security hygeine. 
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
9/20/2017 | 2:30:20 PM
A post-privacy world
It's time to think about how we live and participate in the global financial system with the knowledge that data elements you dutifully protected are now out of control and released.  Your personal data and details are out there.  It's the end of privacy as we know it.  The breaches that this article describes are merely the ones that we know about.  Many/most other companies are or have been owned.  Identification and auhorization need to make a quantum leap in positivity.  Do we submit to chip implantation or choose to live off the financial grid? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...