Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Exposed Consumer Data Skyrocketed 126% in 2018

The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.

Good news: The number of data breaches reported in 2018 dropped 23% compared with 2017. Bad news: The number of sensitive consumer records exposed increased 126% year-over-year.

The data comes from the Identity Theft Resource Center (ITRC), which has been tracking publicly available breach disclosures and reporting on trends since 2005 alongside sponsor CyberScout. Its "2018 End-of-Year Data Breach Report" reflects severe compromise of sensitive consumer data and the methods with which cybercriminals now access personal information.

There were 1,244 breaches reported in 2018, marking a 23% drop from the year prior. But the reported number of consumer records containing personally identifiable information (PII) significantly increased from 197.6 million to 446.5 million – a 126% jump. ITRC notes the actual total number of records exposed is likely higher, given that only half of reported breaches disclose the number.

Sensitive PII wasn't the only type of data tracked for this year's report. The number of non-sensitive records (email addresses, passwords, usernames) exposed in data breaches amounted to an additional 1.68 billion compromised records exposed in only 37 of 1,244 incidents.

The lowest rate of exposure was in the business sector, which was hit with the most data breaches (571) but had the smallest amount of data compromised in each. Healthcare had the second-highest number of breaches (363) but had the highest rate of exposure at 9.92 million records total.

The ITRC's team took a look at the decline in breaches versus amount of information exposed and determined the explanation is twofold. First, businesses are creating more data troves, placing larger amounts of user-submitted data into on-prem and cloud-based stores. At the same time, attackers are scouring the Web for massive data sets, which makes it easier to achieve their goals.

The more data an attacker has on a victim, the easier it is to assume the person's identity, an ITRC spokesperson explains. If one vulnerable account grants access to birthdates, home and email addresses, Social Security numbers, and driver's license data, an attacker stops looking. Savvy hackers will take usernames and passwords and try to credential crack into more online accounts, where they could potentially access financial data, shopping history, or travel plans.

How They're Breaking In
Hacking was the most common breach tactic in 2018, seen in 482 data breaches. Considering the different types of breaches, it led to the third-highest exposure of data (16.7 million consumer records). In 2017 hacking was the most popular type of breach, as seen in 956 breaches, and ranked first for records exposed (168 million in total).

Unauthorized access was the second most common form of attack in 2018, when it led to 377 data breaches and exposed the most records, at 404 million. Accidental exposure was the cause behind 114 data breaches and ranked second for the total number of records exposed (22 million).

Other sources of data compromise included employee error/negligence/improper disposal, which made up 12% of 2018 incidents, insider theft (4%), and data on the move (2%).

The Big Ones
In a year when data breaches were day-to-day occurrences, some incidents stood out, ITRC researchers report.

The Marriott breach, for example, had the highest number of reported records exposed, with 383 million people affected worldwide. Google Plus was also attacked; 53 million people were affected, and the service was shut down. A major Facebook breach let hackers grab 50 million account tokens.

Some of 2018's biggest attacks involved social media platforms or community-based apps. Facebook, also affected by the Cambridge Analytica scandal, was the most notable compromised company. Cyberattacks also hit MyFitnessPal (150 million victims) and Quora (100 million victims), giving hackers access to usernames, email addresses, passwords, and fitness data.

The travel sector also saw its fair share of cyberattacks. Cathay Pacific, a major Hong Kong-based airline, disclosed a breach affecting 9.4 million passengers – the largest of any airline to date. Radisson Rewards notified customers of a breach when members of its programs were compromised in an incident, and Delta Airlines disclosed a major breach as well.

What You Can Do
The ITRC advises reconsidering the data you request from consumers and only ask for information necessary to run your business. If you run a bakery, do you need a driver's license number? Probably not.

Following the publication of the ITRC's 2018 report, security experts also weighed in to share best practices for securing consumer data. Anthony James, chief strategy officer at CipherCloud, urges companies to encrypt personal information in all machines and networks, including on-premise and SaaS-based applications, as well as custom IaaS-based applications.

"Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption," he says. "These are the new skirmish lines for cyberattacks, especially within the cloud where you're most vulnerable."

Colin Bastable, CEO of Lucy Security, points to the additional risk of working with third parties. The fewer moving parts involved with handling users' data, the safer their information is. For example, using Google or Facebook as a login intermediary puts people at chronic risk.

"By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blindsided," he says. "You reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised." Many business cloud applications use APIs to integrate with systems, and each connection drives the risk of hacking.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
2/14/2019 | 2:11:44 AM
Who is responsible?
The crux here is that people need to start to be more responsible about their own security. We cannot expect the computer and tech companies to have everything in place. I mean, we can probably impose such expectations on the whole industry, but at the end of the day, when the information gets leaked or tapped, who is the one that suffers? That's where the onus lies right?
User Rank: Strategist
2/13/2019 | 2:59:04 AM
Security lapses worrying
It is happening everywhere around the world and it is a very scary situation. As a layman, obviously the level of panic inflicted upon myself is relatively much lesser than that of an important figure. However, the lax security is what worries me and obviously other users as well especially when financial matters are concerned.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.