Q3 2015 Data Breach QuickView Report – A Record Breaking Year in the Making

Risk Based Security is pleased to announce the release of the Q3 Data Breach QuickView report. It has been a busy year in terms of activity, with over 3,000 data breaches reported in the first three quarters of 2015.

The higher than usual  breach activity began early with the first quarter showing  warning signs that indicated 2015 would be one for the record books. As the year progressed, the number of reported data breaches began to spike. Now, with the close of the third quarter, there is no denying that 2015 will be the worst year on record for the total number of disclosed data breach incidents.

The numbers tell the story:

  • A 29% increase in the number of incidents reported compared to YTD last year
  • A 40% increase in the number of incidents exposing 1 Million or more records
  • Three mega events in third quarter alone, each exposing more than 10 Million records

Despite the increased activity, it’s not all bad news. Overall the number of records compromised for the year stands just short of 370 million, the lowest exposed record count since 2012. What’s more, there has been virtually no change in the percentage of incidents exposing between 1 and 1,000 records. This remains steady, between 55% and 60% of all reported incidents, indicating overall severity is unchanged.

The researchers at RBS have been tracking two interesting trends this year. While hacking consistently takes the top spot as the leading cause of data breaches and fraud usually occupies second place, skimming has made an unexpected appearance in the number 2 position this quarter. Several state-wide efforts to find and remove skimming devices at gas stations and ATMs is a driving factor behind this increase. However, one cannot help but wonder if the desire to cash in on old magnetic strip technology before the shift to chip embedded payment cards played a role in this unusual blip in skimming activity.

Another notable trend this year is the number of repeat events taking place at the same organization. In total, over 1,400 organizations in the RBS database have reported more than one data breach. In 2015 alone, 99 organizations reported multiple breaches.

The clearest example of this is the Office of Personnel Management. Much has been written about the massive data compromise that took place this past June. But looking back over OPM’s experience, the trouble started long before this summer. As early as July 2014 there were reports of unauthorized access to security clearance application data. Another breach followed seven months later with the revelation user credentials at KeyPoint Government Solutions had been compromised and used to gain access to governmental workers’ personal information. The signs were clear; OPM data had been in the cross-hairs of attackers for at least a year before the massive breach in June.

While governmental agencies appear to be especially prone to multiple events, no industry segment is immune to repeated security failures. Is it the lure of valuable data that keeps some organizations in the crosshairs? Or is it questionable security practices that make them easy targets? Either way, there is no denying the repeated events at the same organization cannot be discounted as a mere coincidence.

About the Data Breach QuickView Report

The Data Breach QuickView report is intended to be an executive level summary of the key findings from RBS’ analysis of the first half of 2015’s data breach incidents. Contact Risk Based Security for your customized analysis of data breaches or discuss Cyber Risk Analytics.

You can view the 2015 Data Breach QuickView report here:

https://www.riskbasedsecurity.com/reports/2015-Q3DataBreachQuickView.pdf

About Risk Based Security, Inc.

Risk Based Security is a leading-edge security and threat intelligence company. We provide the most timely, highest quality and most fully comprehensive vulnerability and data breach intelligence services available. Data intelligence is the basis for our project and information security services including ISO/IEC 27001, SDL and our virtual YourCISO service.

For more information, please contact us via email or call 855-RBS-RISK.