Gretel Egan | March 06, 2019

Number of U.S. Data Breaches Dip in 2018, But PII Exposure Jumps 126%

proofpoint_blog_data_feb2019It’s become a sad reality for many: Passwords, account numbers, healthcare data, and other pieces of personally identifiable information (PII) left exposed as a result of targeted attacks, employee error, or outright negligence. When these incidents happen, it’s not just a breach of data, but a breach of trust.

Unfortunately, as the 2018 End-of-Year Data Breach Report by the Identity Theft Resource Center (ITRC) states, we’re firmly in an era in which “breaches have become ‘the new normal.’” Now, the ITRC cautions, “It’s not so much a matter of ‘if’ a breach will happen, but ‘when’ a breach will happen.”

A Look at the Numbers

The dire tone of the report is warranted even with the news that the total number of breaches in 2018 (1,244) fell 23% since 2017 (1,632). That’s because the total number of exposed records was up a staggering 126% year-over year (446,515,334 vs. 197,612,748). This alarming disclosure only compounds the concern: “Only half of the total number of breaches reported by the [ITRC] in 2018 reported the number of records exposed.” We discussed the issue of shadow data late last year, and the ITRC rightly notes that in these cases, “affected consumers [can’t receive] the action plans they need and deserve.”

Other key findings from the report include the following:

  • The Business and Medical/Healthcare sectors had the most reported breaches in 2018 (571 and 363, respectively). However, while Business had the lowest rate of exposure per breach, Medical/Healthcare had the highest rate of exposure per breach.
  • Hacking was at the root of the most breaches (482), but accounted for just 16 million of the records exposed.
  • Unauthorized Access had the second highest number of breaches (377), and these led to the highest number of exposed records (404 million).
  • Accidental Exposure was the third most common breach type (114) and resulted in 22 million exposed records.
  • Employee Error/Negligence/Improper Disposal/Loss was the fourth most common breach type, leading to 12% of the total breaches in 2018.
  • Subcontractor and third-party breaches were more common in 2018, accounting for 8.2% of breaches (vs. 7.6% in 2017). These breach types were responsible for more than 25% of the records exposed in both the Education and Medical/Healthcare sectors.

color_barOur printable infographic is designed to help email recipients make better, safer decisions about the emails they receive.

Download the PDF of the Phishing Decision Tree

color_bar

How Consumers Can Take Action

Clearly, organizations in all industries should work diligently to close vulnerabilities within their infrastructures, proactively monitor for incoming threats, and educate employees to understand and apply cybersecurity best practices that can minimize risk to sensitive data. But, of course, attackers’ tenacity and skills can’t be questioned; even companies that prioritize security can fall victim to a data breach. In these cases, however, the ITRC says “there is something more [these organizations] can do if the worst does occur: provide more transparent reporting on exactly what type of data was compromised.”

The ITRC also calls on individuals to be more diligent about protecting and monitoring their PII—activities that would be made easier if breached organizations were to become more transparent. In the meantime, the year-end report offers several tips consumers can start using now to keep data more secure:

  • Limit the use of cross-platform logins – When you use social media credentials—like your Facebook user name and password—to log into multiple accounts, all of those accounts are at risk if those social credentials are breached. As the ITRC notes, “Unique user names and passwords as well as minimal sharing of personal data allows consumers to minimize their risk of identity theft.”
  • Question companies about their use of certain pieces of information – The ITRC calls out the travel and healthcare industries in particular in the report, and cautions that consumers should always question requests for identifiers like Social Security, driver’s license, and passport numbers, which may sometimes be needed for identification purposes in the moment but may not need to be recorded and/or stored longer-term. If you’re asked to provide this type of information, the report advises that all consumers ask about “the security of the housing and disposal of that data.”
  • Monitor your finances – Consumers need to stay on top of financial statements and open accounts, and quickly flag anything that seems out of the ordinary. It’s also a good idea to close accounts that aren’t regularly used. “Consistent monitoring of bank and credit card accounts, reading credit reports from major agencies, and immediately reporting fraud is crucial to staying ahead of thieves after your financial information,” the ITRC notes.
  • Don’t discount exposure of ‘non-sensitive’ PII – In addition to the more than 446 million sensitive records that were compromised in 2018, last year’s U.S. data breaches exposed more than 1.68 billion non-sensitive records. The ITRC warns that consumers should not dismiss the value of these pieces of personal information: “A consumer’s identity is similar to that of a puzzle and the more accurate pieces a thief has about someone, the more they can successfully represent that person.”
  • If you’re compromised, find out exactly what data has been exposed – If the worst happens, get up to speed as quickly and completely as possible. Thoroughly read disclosure letters and ask questions until you know which pieces of information have been breached. And take advantage of any available assistance (like credit monitoring services and no-cost resources offered by the ITRC) to help you navigate the post-breach waters.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now