Over 5,200 Data Breaches Make 2017 An Exceptional Year For All The Wrong Reasons
February 6, 2018 • RBS
In an all too common refrain, 2017 claims the dubious record of the most breaches and most records compromised in a year.
RICHMOND, VA, February 6, 2018 — Risk Based Security today announced the release of the 2017 Data Breach QuickView Report, showing that once again, the record has been broken for both the most breaches and the most data compromised in a year. There were 5,207 breaches recorded last year, surpassing 2015’s previous high mark by nearly 20%. The number of records compromised also surpassed all other years with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.
“The level of breach activity this year was disheartening”, commented Inga Goddijn, Executive Vice President for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18th came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”
The increased level of breach activity has been observed by the cyber insurance industry as well. Manny Cho, EVP at Risk Placement Services, a national insurance brokerage and sponsor of the Year End QuickView Report added, “the use of malware and ransomware such as WannaCry and NotPetya impacted companies and individuals across the globe. While large breaches continue to grab the headlines, SMEs are losing money and assets to hacker organizations every day thanks to increased phishing and spoofing attacks.”
In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, breach type Web – which is largely comprised of accidentally exposing sensitive data to the Internet – took over the top spot compromising 68.8% or 5.4 billion records. Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the number two spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.
“We’re seeing a lot of interest in calling out organizations that mishandle sensitive data”, said Ms Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”
A prime example of this is the August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately the lettershop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information. The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million in order to settle the various proceedings. While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action.
Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728 or 18.6%, were discovered by the organization responsible for protecting the data. The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers, or unrelated parties including disclosure by the malicious actors themselves. While there is not a direct correlation between discovery method and and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization.
Risk Based Security has been capturing and aggregating data breach events for well over a decade. The resulting wealth of breach data coupled with actionable security ratings for organizations has made Risk Based Security a leader in vendor risk management, cyber insurance and risk modeling. For more information, contact Risk Based Security at 855-RBS- RISK or visit www.riskbasedsecurity.com.
About the Data Breach QuickView Report
The Data Breach QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of breach activity disclosed in 2017. Contact Risk Based Security for any specific analysis of the 2017 data breaches of specific interest to your organization.
You can get your copy of the Year End 2017 Data Breach QuickView Report here:
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, ourYourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
Cyber Risk Analytics (CRA) provides actionable organization security risk ratings and data breach intelligence. Our threat intelligence empowers organizations to reduce exposure to the threats most likely to impact them and their vendor base. Our PreBreach security risk ratings, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.
About Risk Placement Services
Risk Placement Services, Inc. (RPS), one of the nation’s largest intermediaries, offers valuable solutions in wholesale brokerage, binding authority, programs and standard lines. Headquartered in Rolling Meadows, Illinois, RPS has more than 80 branch office and satellite locations, creating a coast-to-coast network of offices with retailer needs in mind. RPS places well over $3.1 billion in premium annually, demonstrating the company’s strength and market presence. RPS leverages local knowledge, regional expertise and national relationships to deliver winning proposals to each retail broker partner and provide knowledge-based coverage solutions for each situation.
The RPS Executive Lines division specializes in protecting individuals and their companies against a wide range of executive risks and other professional liabilities. Market-leading specialists in public, private, and nonprofit Directors & Officers (D&O), Errors & Omissions (E&O), Fiduciary, Crime, and Kidnap & Ransom insurance products, RPS Executive Lines provides total management insurance solutions via 100 different insurance markets. Additionally, they help clients pinpoint hidden exposures to loss and fortify them against vulnerabilities, ultimately improving their risk profile.
For additional information please email [email protected]