More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.
The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record. Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017. In addition, more records were compromised last year than in any previous year than 2017 and 2005.
As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records. In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total. In all, 12 breaches in 2018 exposed at least 100 million records. Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.
For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.
The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors. Risk Based Security's analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. In contrast, the medical and education sectors combined exposed less than 10 million records.
More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords. The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.
Risk Based Security's report shows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%). Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.
The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.
The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery. That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.
"What we found was, after three years of closing the gap between discovery and reporting, the average number of days between those two dates was stagnant in 2018," Goodijn says.
The general anticipation was that mandates such as the European Union's General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times. So it was surprising to see little movement on that front last year. "It's hard to say why it is still taking nearly 50 days to disclose a breach," Goodijn notes. "It could be we have reached a plateau, where it simply takes two to three weeks to conduct a full investigation and another two to three weeks to work through preparing and releasing a notification."
The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says. The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours. But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach "So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all," Goddijn says.
Risk Based Security's report does not include "dwell time," or the duration between when an attacker first breaks into a network and when the intrusion is first discovered. But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source. In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.
"If we look at the rate of internal discovery verses external discovery, we can see that many organizations are still learning of the incident from external sources, such as law enforcement, fraud detection, independent researchers, or even their own customers," Goddijn notes. "Our assumption is that organizations that are better able to detect a breach will also be better positioned to respond. That's something we'll be taking a closer look at in 2019."
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.