Data breaches soared by 17% in 2019: ‘We also saw the rise of a significant new threat’

This post was originally published on this site

Data breaches were on the rise last year, but there’s a silver lining.

The number of reported data breaches rose 17% to 1,473 in 2019 from 1,257 a year earlier, according to a new report by the nonprofit Identity Theft Resource Center, suggesting that a trend-defying drop in data breaches recorded in 2018 was a mere “blip.”

ITRC president and CEO Eva Velasquez called the recent rise in data breaches “a serious issue.”

“It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed,” Velasquez said in a statement. “The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.”

But the ITRC analysis, which was sponsored by the cybersecurity solutions company CyberScout, also found there was a roughly 50% drop in the number of overall records exposed in 2019, and a 65% reduction — from more than 471 million in 2018 to under 165 million in 2019 — in the exposure of “sensitive personally identifiable information.”

The 2018 Marriott MAR, +2.36%   breach, during which the hospitality company announced there had been unauthorized access of up to 383 million records, including passport numbers and payment card numbers, skewed the sensitive-records data “significantly,” the ITRC said. (Marriott did not immediately respond to a request for comment.)

Personally identifiable information (PII) can include Social Security numbers, driver’s license numbers, bank-account information and dates of birth, the ITRC says. Fraudsters who gain access to certain sensitive information can go on to open new lines of credit, commit identity theft and make fraudulent financial charges. Experts recommend that consumers protect against identity fraud by freezing their credit with the major credit bureaus and monitoring their financial transactions.

Banking, credit and financial-sector breaches in 2019 were responsible for exposing some 61% of the sensitive records, despite having just 8% of breaches that year.

“We also saw the rise of a significant new threat — data exposure from unsecured databases — and growth of an existing tactic known as credential stuffing where data thieves use seemingly innocuous information like stolen email addresses and logins to attempt to access various kinds of accounts,” the ITRC report said. “Third-party vendors also continued to be a source of data breaches through accidental release or supply chain cyberattacks.”

What’s more, many companies in 2019 didn’t password-protect their cloud-based data, the report said. It remains largely unknown whether criminals ever accessed this data.

The average total cost of a data breach for U.S.businesses is nearly $8.2 million, the highest of any country sampled, according to a 2019 analysis sponsored by IBM Security and conducted by the Ponemon Institute, a privacy and security research center. The average cost per lost record in the U.S. is $242, and the health-care industry has the highest industry average for cost per record, found the report, which was based on interviews with 500 companies in 16 states and regions that had experienced recent data breaches.

While the greatest number of data breaches in 2019 occurred in the business sector (644), making up 44% of all 2019 breaches, the ITRC found that these business-sector breaches exposed just 11% of all sensitive records. In fact, banking, credit and financial-sector breaches in 2019 were responsible for exposing some 61% of the sensitive records, despite having just 8% of breaches that year.

Of course, 2019 was the year Capital One COF, +0.87%   revealed that a hacker had accessed the personal information of more than 100 million people, including Social Security numbers for around 140,000 people and 80,000 bank-account numbers. This breach accounted for 99% of sensitive records exposed within that sector, the ITRC said. (Capital One did not immediately return a request for comment.)

The nonprofit also warned that non-sensitive personally identifiable information, like user names and passwords, had increasingly become targets “as many people use non-sensitive PII, such as usernames and passwords, to guard sensitive PII such as financial account details.”

Many consumers reuse online credentials or use similar ones for the ease of remembering, the ITRC added. But bad actors can leverage their initial access to non-sensitive information into accessing “a wide variety of personal information” if people use the same credentials for both sensitive and non-sensitive accounts. One way to avoid this pitfall is to use a password manager.

Hacking accounted for the highest share of data breaches at 39%, followed by “unauthorized access” at 36.5%. But the latter method exposed 86% of sensitive records that were exposed.