Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Exposed Consumer Data Skyrocketed 126% in 2018

The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.

Good news: The number of data breaches reported in 2018 dropped 23% compared with 2017. Bad news: The number of sensitive consumer records exposed increased 126% year-over-year.

The data comes from the Identity Theft Resource Center (ITRC), which has been tracking publicly available breach disclosures and reporting on trends since 2005 alongside sponsor CyberScout. Its "2018 End-of-Year Data Breach Report" reflects severe compromise of sensitive consumer data and the methods with which cybercriminals now access personal information.

There were 1,244 breaches reported in 2018, marking a 23% drop from the year prior. But the reported number of consumer records containing personally identifiable information (PII) significantly increased from 197.6 million to 446.5 million – a 126% jump. ITRC notes the actual total number of records exposed is likely higher, given that only half of reported breaches disclose the number.

Sensitive PII wasn't the only type of data tracked for this year's report. The number of non-sensitive records (email addresses, passwords, usernames) exposed in data breaches amounted to an additional 1.68 billion compromised records exposed in only 37 of 1,244 incidents.

The lowest rate of exposure was in the business sector, which was hit with the most data breaches (571) but had the smallest amount of data compromised in each. Healthcare had the second-highest number of breaches (363) but had the highest rate of exposure at 9.92 million records total.

The ITRC's team took a look at the decline in breaches versus amount of information exposed and determined the explanation is twofold. First, businesses are creating more data troves, placing larger amounts of user-submitted data into on-prem and cloud-based stores. At the same time, attackers are scouring the Web for massive data sets, which makes it easier to achieve their goals.

The more data an attacker has on a victim, the easier it is to assume the person's identity, an ITRC spokesperson explains. If one vulnerable account grants access to birthdates, home and email addresses, Social Security numbers, and driver's license data, an attacker stops looking. Savvy hackers will take usernames and passwords and try to credential crack into more online accounts, where they could potentially access financial data, shopping history, or travel plans.

How They're Breaking In
Hacking was the most common breach tactic in 2018, seen in 482 data breaches. Considering the different types of breaches, it led to the third-highest exposure of data (16.7 million consumer records). In 2017 hacking was the most popular type of breach, as seen in 956 breaches, and ranked first for records exposed (168 million in total).

Unauthorized access was the second most common form of attack in 2018, when it led to 377 data breaches and exposed the most records, at 404 million. Accidental exposure was the cause behind 114 data breaches and ranked second for the total number of records exposed (22 million).

Other sources of data compromise included employee error/negligence/improper disposal, which made up 12% of 2018 incidents, insider theft (4%), and data on the move (2%).

The Big Ones
In a year when data breaches were day-to-day occurrences, some incidents stood out, ITRC researchers report.

The Marriott breach, for example, had the highest number of reported records exposed, with 383 million people affected worldwide. Google Plus was also attacked; 53 million people were affected, and the service was shut down. A major Facebook breach let hackers grab 50 million account tokens.

Some of 2018's biggest attacks involved social media platforms or community-based apps. Facebook, also affected by the Cambridge Analytica scandal, was the most notable compromised company. Cyberattacks also hit MyFitnessPal (150 million victims) and Quora (100 million victims), giving hackers access to usernames, email addresses, passwords, and fitness data.

The travel sector also saw its fair share of cyberattacks. Cathay Pacific, a major Hong Kong-based airline, disclosed a breach affecting 9.4 million passengers – the largest of any airline to date. Radisson Rewards notified customers of a breach when members of its programs were compromised in an incident, and Delta Airlines disclosed a major breach as well.

What You Can Do
The ITRC advises reconsidering the data you request from consumers and only ask for information necessary to run your business. If you run a bakery, do you need a driver's license number? Probably not.

Following the publication of the ITRC's 2018 report, security experts also weighed in to share best practices for securing consumer data. Anthony James, chief strategy officer at CipherCloud, urges companies to encrypt personal information in all machines and networks, including on-premise and SaaS-based applications, as well as custom IaaS-based applications.

"Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption," he says. "These are the new skirmish lines for cyberattacks, especially within the cloud where you're most vulnerable."

Colin Bastable, CEO of Lucy Security, points to the additional risk of working with third parties. The fewer moving parts involved with handling users' data, the safer their information is. For example, using Google or Facebook as a login intermediary puts people at chronic risk.

"By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blindsided," he says. "You reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised." Many business cloud applications use APIs to integrate with systems, and each connection drives the risk of hacking.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
2/14/2019 | 2:11:44 AM
Who is responsible?
The crux here is that people need to start to be more responsible about their own security. We cannot expect the computer and tech companies to have everything in place. I mean, we can probably impose such expectations on the whole industry, but at the end of the day, when the information gets leaked or tapped, who is the one that suffers? That's where the onus lies right?
User Rank: Strategist
2/13/2019 | 2:59:04 AM
Security lapses worrying
It is happening everywhere around the world and it is a very scary situation. As a layman, obviously the level of panic inflicted upon myself is relatively much lesser than that of an important figure. However, the lax security is what worries me and obviously other users as well especially when financial matters are concerned.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
Directory traversal vulnerability in WHR-G54S firmware 1.43 and earlier allows an attacker to access sensitive information such as setting values via unspecified vectors.
PUBLISHED: 2020-09-18
Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via a malicious App created by the third party. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
** DISPUTED ** A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice."