U.S. data breaches tracked hit an all-time record high of 1,093 last year, representing a substantial hike of 40% over the near record high of 780 reported in 2015.
The stats from the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911), asks: Are there actually more breaches or is it because more states are making this information publicly available?
With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests.
For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year a number of states take this step by making data breach notifications public on their websites. The ITRC Data Breach Report 2016 now includes information from more than a dozen state agencies.
Since 2005, the ITRC has been identifying data breaches in five industry sectors. In 2016, the business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.25 of the overall number of breaches. This was followed by the healthcare/medical industry (377 incidents), representing 34.55 of the overall total. The education sector (98) followed at 9.05, the government/military (72) at 6.65 and the banking/credit /financial sector (52) at 4.8%.
In 2007, the ITRC began adding categories to identify data breach incidents by the “type of occurrence.” For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5% of the overall number of breaches, which is an increase of 17.7% over 2015 figures. Of these, many were a result of CEO spear phishing efforts (also known as business email compromise schemes) in which highly sensitive data, typically information required for state and federal tax filings, was exposed. As early as February, the IRS had already seen a 400% surge in this type of activity prompting both consumer and industry alerts addressing this issue.
Breaches involving accidental email/internet exposure of information was the second most common type of breach incident at 9.2% of the overall number of breaches followed by employee error at 8.7%. With the exception of hacking, all other categories reflected decreases from 2015 figures.
Since 2010, the ITRC has been tracking breaches involving Social Security numbers (SSNs) and credit card/debit card numbers. Exposure of SSNs was evidenced in 52.05 of the overall number of breaches in 2016, representing an increase of 8.2 percent over 2015 figures. Exposure of records involving credit/debit cards at 13.1%, reflects a decrease of 7.4% from 2015. With that said, it is important to remember that most data breach notifications or media reports do not include the type of information exposed. The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information.
CyberScout says the database compromises of 2016 confirmed yet again that breaches are the third certainty in life and we are all living in a constant state of cyber insecurity. Hackers and identity thieves continue to evolve. They are very sophisticated, extremely creative and dogged in their pursuit of what is ours. More than half of the breaches reported by the ITRC included the skeleton key to our lives: the Social Security number. This trend, which has accelerated since 2015— when just four breaches exposed over 120 million Social Security numbers to state-sponsored hackers and cyber criminals— represents the point of no return for millions of Americans.
While credit and debit card numbers can be changed, SSNs cannot. Therefore, monitoring and damage control become even more important than ever before. Consumers must become better informed as to the risks inherent in this dangerous digital world, be more alert to the signs of individual compromise and know what to do to contain and reverse the damage or take advantage of identity theft protection services offered by their insurers, employers or financial services firms.”
Regarding the reporting of the known number of records exposed, half (50.7%) of the overall number of breach notifications did not include this information. However, due to the mandatory reporting requirement for healthcare industry breaches affecting 500 or more individuals, 84 percent of the healthcare breaches publicly stated the number of records exposed.
It should also be noted that several large scale breaches in 2016— which only involved usernames, passwords, or emails— while included on the list, did not specify the vast number of records exposed because this type of information does not typically trigger most data breach notification laws.
The ITRC Breach List is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, driver’s license numbers and medical information. This data breach information, and available statistics, have become a valuable resource for media, businesses and consumers looking to become more informed on the need for best practices, privacy and security measures in all areas – both personal and professional.
For a complete archive of more than 70,000 articles published since 1995 search the CardFlash.com library