Gretel Egan | October 27, 2017

Scary Data Breach Statistics of 2017

2017-Data-Breach-Statistics.jpgOn October 25, the Identity Theft Resource Center (ITRC) published its latest compilation of confirmed data breach notifications affecting US organizations and customers so far this year.* The headline numbers — 1,120 total breaches and more than 171 million records exposed — are frightening in their own right, especially considering that in all of 2016, the ITRC reported 1,039 total breaches and just over 36.6 million records exposed. But what really stood out to us in this latest look at the report wasn’t the numbers that are known, but the numbers that remain unknown.

Acknowledging the Fear of the Unknown

The ITRC identifies the number of breaches and the number of records exposed in five categories:

  1. Banking/Credit/Financial
  2. Business
  3. Educational
  4. Government/Military
  5. Medical/Healthcare

The report’s one-page summary shows the high-level numbers for each of these categories, as well as totals and how the categories relate to one another, percentage-wise. But it’s the full report that is truly eye-opening: It lists the breaches within each category and the number of records exposed in each incident, but it also notes incidents in which the number of records exposed is unknown. The following table illustrates how little we actually know about the level of personal data exposure that is happening on a daily basis:


Total Number of Breaches

Total Number of Records Exposed

Number of Breaches with Total Records Identified

Number of Breaches with Total Records Unknown


























Source: ITRC Data Breach Report dated 10/25/2017


We explore end users' understanding of ten cybersecurity topics and how their knowledge levels are impacting security postures across a range of industries. 

Download the Beyond the Phish Report


In total, well more than half — 699 of 1,120, or 62.4% — of the total number of breaches have a question mark tied to them with regard to impacted records. The disparity is mainly due to the lack of disclosure noted in the banking, business, and education categories. It is alarming to see how little is being made public about breaches in these sectors. It certainly appears that consumers benefit from the increased (albeit forced) transparency within the government and healthcare categories, as far as disclosure goes (though that is no doubt offset by the fact that more than 10 million records have been exposed so far this year in those two categories alone).

The even sadder reality of the situation is this: What we don’t know about US data breach totals (to say nothing of global totals) extends far beyond this report. The ITRC self-discloses that its report only includes data from breaches that have been confirmed/published by a “credible source”; items are excluded if the ITRC is “not certain that the source is real and credible.”

That, of course, means that organizations would have to formally — and publicly — disclose a breach in order for it to be counted, which we know is not happening as often as it should. As Adam Levin, Chairman of ITRC report sponsor CyberScout (formerly IDT911), noted back in 2016, “Many [breaches] continue to fly under the radar because many businesses aim to avoid the financial dislocation, liability, and loss of goodwill that comes with disclosure and notification.”

Recognizing the Role of the User in Data Breach Prevention

While cybercriminals are certainly working overtime to infiltrate organizations, the rise in data breaches is partly due to lack of cybersecurity awareness and knowledge among end users. In its half-year analysis of the 2017 US data breach landscape, the ITRC and CyberScout noted the following about the sources of identified data breaches:

  • Hacking (a category that includes phishing, ransomware/malware, and skimming) was the primary method of attack in 63% of the overall breaches.
    • Phishing figured into 47.7% of hacking-based attacks.
    • Ransomware and/or malware was identified in 18.5% of attacks attributed to hacking.
  • Employee-driven factors (i.e., error, negligence, improper disposal, and loss) were the root cause of 9% of breaches.
  • Accidental online exposure of data was identified in nearly 7% of breaches.

In examining these causes, it’s clear that employee behaviors figure into a large number of data breaches — and that human factor is costly. But the question is: Do your employees truly know how to avoid mistakes?

We’d make the case that users can’t forget things that they they’ve never known. Awareness is not knowledge. Simulated phishing attacks — while valuable assessment tools — are not training. And cybersecurity threats extend beyond the phish. To manage end-user risk more effectively, you must give your employees a seat at the table and empower them to be part of the solution — and thoughtful, ongoing security awareness training can help you do just that.


* Per the ITRC: “A breach is defined as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk — either in electronic or paper format. For data breach incidents involving only emails, user names, and/or passwords, the number of records are not included in the overall total number of records.”

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now