Over 6,500 Data Breaches and More Than 5 Billion Records Exposed in 2018
February 13, 2019 • RBS
Risk Based Security today announced the release of its Year End 2018 Data Breach QuickView Report, showing there were 6,515 publicly disclosed data compromise events through December 31, 2018, exposing over 5 billion sensitive records. While the year ended below 2017’s high mark of 6,728 reported breaches, a continuing slow trickle of new breach information may end up placing 2018 in the top spot.
“It’s been an unusual year for breach activity,” commented Inga Goddijn, Executive Vice President of Risk Based Security. “We’ve been monitoring breach events for more than a dozen years now and this is the first time we’ve observed a slow start to the year following by a growing number of disclosures as the months pass. We suspect various factors including the allure of crypto mining had an impact on breach activity early in the year, but disclosures rebounded throughout the summer and into the last quarter.”
Following on the theme of disclosure, this year the Data Breach Quick View Reports have been examining the average number of days between breach discovery and reporting. Ms Goddijn said of the work, “we were curious to see if the General Data Protection Regulation (GDPR) would have a discernible impact on how long it takes for an organization to go public with a breach report.” Curiously, the average number of days between discovery and disclosure has been approximately 49 days for the past two years. Ms Goddijn commented, “from 2014 until 2017, the average number of days had been declining. We assumed awareness of GDPR reporting requirements would put pressure on organizations to continue to close the gap. So it was surprising to see 2018 end at an average of 49.6 days, slightly above 2017’s average of 48.6 days.”
One possible reason for the lack of improvement is the different obligations and timelines that apply for notifying regulators of a breach versus notifying individuals at risk of harm. It is worthwhile to keep in mind that while much has been said about the GDPR’s 72 hour window for reporting a breach to regulators, individuals need only be notified if there is a high risk of harm. What’s more, if the notification to individuals is triggered, the notice must be made without unreasonable delay rather than within a specified number of days. As is evident in recent reporting, this can generate a significant number of disclosures to regulators – ranging from minor data handling errors to serious data compromise events – but not necessarily impact the number of breaches that actually see the light of day.
Ms Goddijn concluded, “overall, we’re encouraged by the results from 2018. The number of records exposed did come down about 36% compared to last year and while the number of breaches is still quite high, we did not see a repeat of widespread events like WannaCry and Petya/NotPetya. After year upon year of bad news, we’ll take improvement where it can be found.”
About the Data Breach QuickView Report
The Data Breach QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of breach activity disclosed in 2018. ContactRisk Based Security for any focused analysis of the 2018 breaches of specific interest to your organization.
Tune In To The 2018 Year End Data Breach Quick View Report Webinar
We invite you to attend “The Data Breach Landscape – Trends and Highlights From 2018” webinar being held on February 28th at 11:30 a.m. Central where we’ll take a deeper dive into the Year End Data Breach report. Please click the link below to register or watch on demand:
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
Risk Based Security has a suite of products that enables organizations make data-driven decisions to effectively manage and prioritize risk mitigation. See how VulnDB, Cyber Risk Analytics, and YourCISO can help you or your vendors stay saecure in this rapidly evolving environment.