Good news: The number of data breaches reported in 2018 dropped 23% compared with 2017. Bad news: The number of sensitive consumer records exposed increased 126% year-over-year.
The data comes from the Identity Theft Resource Center (ITRC), which has been tracking publicly available breach disclosures and reporting on trends since 2005 alongside sponsor CyberScout. Its "2018 End-of-Year Data Breach Report" reflects severe compromise of sensitive consumer data and the methods with which cybercriminals now access personal information.
There were 1,244 breaches reported in 2018, marking a 23% drop from the year prior. But the reported number of consumer records containing personally identifiable information (PII) significantly increased from 197.6 million to 446.5 million – a 126% jump. ITRC notes the actual total number of records exposed is likely higher, given that only half of reported breaches disclose the number.
Sensitive PII wasn't the only type of data tracked for this year's report. The number of non-sensitive records (email addresses, passwords, usernames) exposed in data breaches amounted to an additional 1.68 billion compromised records exposed in only 37 of 1,244 incidents.
The lowest rate of exposure was in the business sector, which was hit with the most data breaches (571) but had the smallest amount of data compromised in each. Healthcare had the second-highest number of breaches (363) but had the highest rate of exposure at 9.92 million records total.
The ITRC's team took a look at the decline in breaches versus amount of information exposed and determined the explanation is twofold. First, businesses are creating more data troves, placing larger amounts of user-submitted data into on-prem and cloud-based stores. At the same time, attackers are scouring the Web for massive data sets, which makes it easier to achieve their goals.
The more data an attacker has on a victim, the easier it is to assume the person's identity, an ITRC spokesperson explains. If one vulnerable account grants access to birthdates, home and email addresses, Social Security numbers, and driver's license data, an attacker stops looking. Savvy hackers will take usernames and passwords and try to credential crack into more online accounts, where they could potentially access financial data, shopping history, or travel plans.
How They're Breaking In
Hacking was the most common breach tactic in 2018, seen in 482 data breaches. Considering the different types of breaches, it led to the third-highest exposure of data (16.7 million consumer records). In 2017 hacking was the most popular type of breach, as seen in 956 breaches, and ranked first for records exposed (168 million in total).
Unauthorized access was the second most common form of attack in 2018, when it led to 377 data breaches and exposed the most records, at 404 million. Accidental exposure was the cause behind 114 data breaches and ranked second for the total number of records exposed (22 million).
Other sources of data compromise included employee error/negligence/improper disposal, which made up 12% of 2018 incidents, insider theft (4%), and data on the move (2%).
The Big Ones
In a year when data breaches were day-to-day occurrences, some incidents stood out, ITRC researchers report.
The Marriott breach, for example, had the highest number of reported records exposed, with 383 million people affected worldwide. Google Plus was also attacked; 53 million people were affected, and the service was shut down. A major Facebook breach let hackers grab 50 million account tokens.
Some of 2018's biggest attacks involved social media platforms or community-based apps. Facebook, also affected by the Cambridge Analytica scandal, was the most notable compromised company. Cyberattacks also hit MyFitnessPal (150 million victims) and Quora (100 million victims), giving hackers access to usernames, email addresses, passwords, and fitness data.
The travel sector also saw its fair share of cyberattacks. Cathay Pacific, a major Hong Kong-based airline, disclosed a breach affecting 9.4 million passengers – the largest of any airline to date. Radisson Rewards notified customers of a breach when members of its programs were compromised in an incident, and Delta Airlines disclosed a major breach as well.
What You Can Do
The ITRC advises reconsidering the data you request from consumers and only ask for information necessary to run your business. If you run a bakery, do you need a driver's license number? Probably not.
Following the publication of the ITRC's 2018 report, security experts also weighed in to share best practices for securing consumer data. Anthony James, chief strategy officer at CipherCloud, urges companies to encrypt personal information in all machines and networks, including on-premise and SaaS-based applications, as well as custom IaaS-based applications.
"Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption," he says. "These are the new skirmish lines for cyberattacks, especially within the cloud where you're most vulnerable."
Colin Bastable, CEO of Lucy Security, points to the additional risk of working with third parties. The fewer moving parts involved with handling users' data, the safer their information is. For example, using Google or Facebook as a login intermediary puts people at chronic risk.
"By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blindsided," he says. "You reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised." Many business cloud applications use APIs to integrate with systems, and each connection drives the risk of hacking.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio