[BreachExchange] Over 6, 500 Data Breaches and More Than 5 Billion Records Exposed in 2018
Destry Winant
destry at riskbasedsecurity.com
Wed Feb 13 10:10:27 EST 2019
https://www.riskbasedsecurity.com/2019/02/over-6500-data-breaches-and-more-than-5-billion-records-exposed-in-2018/
Risk Based Security today announced the release of its Year End 2018
Data Breach QuickView Report, showing there were 6,515 publicly
disclosed data compromise events through December 31, 2018, exposing
over 5 billion sensitive records. While the year ended below 2017’s
high mark of 6,728 reported breaches, a continuing slow trickle of new
breach information may end up placing 2018 in the top spot.
“It’s been an unusual year for breach activity,” commented Inga
Goddijn, Executive Vice President of Risk Based Security. “We’ve been
monitoring breach events for more than a dozen years now and this is
the first time we’ve observed a slow start to the year following by a
growing number of disclosures as the months pass. We suspect various
factors including the allure of crypto mining had an impact on breach
activity early in the year, but disclosures rebounded throughout the
summer and into the last quarter.”
Following on the theme of disclosure, this year the Data Breach Quick
View Reports have been examining the average number of days between
breach discovery and reporting. Ms Goddijn said of the work, “we were
curious to see if the General Data Protection Regulation (GDPR) would
have a discernible impact on how long it takes for an organization to
go public with a breach report.” Curiously, the average number of days
between discovery and disclosure has been approximately 49 days for
the past two years. Ms Goddijn commented, “from 2014 until 2017, the
average number of days had been declining. We assumed awareness of
GDPR reporting requirements would put pressure on organizations to
continue to close the gap. So it was surprising to see 2018 end at an
average of 49.6 days, slightly above 2017’s average of 48.6 days.”
One possible reason for the lack of improvement is the different
obligations and timelines that apply for notifying regulators of a
breach versus notifying individuals at risk of harm. It is worthwhile
to keep in mind that while much has been said about the GDPR’s 72 hour
window for reporting a breach to regulators, individuals need only be
notified if there is a high risk of harm. What’s more, if the
notification to individuals is triggered, the notice must be made
without unreasonable delay rather than within a specified number of
days. As is evident in recent reporting, this can generate a
significant number of disclosures to regulators – ranging from minor
data handling errors to serious data compromise events – but not
necessarily impact the number of breaches that actually see the light
of day.
Ms Goddijn concluded, “overall, we’re encouraged by the results from
2018. The number of records exposed did come down about 36% compared
to last year and while the number of breaches is still quite high, we
did not see a repeat of widespread events like WannaCry and
Petya/NotPetya. After year upon year of bad news, we’ll take
improvement where it can be found.”
About the Data Breach QuickView Report
The Data Breach QuickView report is possible through the research
conducted by Risk Based Security. It is designed to provide an
executive level summary of the key findings from RBS’ analysis of
breach activity disclosed in 2018. ContactRisk Based Security for any
focused analysis of the 2018 breaches of specific interest to your
organization.
Get your copy of the Year End 2018 Data Breach QuickView Report
Tune In To The 2018 Year End Data Breach Quick View Report Webinar
We invite you to attend “The Data Breach Landscape – Trends and
Highlights From 2018” webinar being held on February 28th at 11:30
a.m. Central where we’ll take a deeper dive into the Year End Data
Breach report. Please click the link below to register or watch on
demand:
Register For The Data Breach Landscape Webinar
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis
on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence.
Our products, Cyber Risk Analytics (CRA) and VulnDB, provide
organizations access to the most comprehensive threat intelligence
knowledge bases available, including advanced search capabilities,
access to raw data via API, and email alerting to assist organizations
in taking the right actions in a timely manner. In addition, our
YourCISO offering provides organizations with on-demand access to high
quality security and information risk management resources in one,
easy to use web portal.
Cyber Risk Analytics (CRA) provides actionable threat intelligence
about organizations that have had a data breach or leaked credentials.
This enables organizations to reduce exposure to the threats most
likely to impact them and their vendor base. In addition, our
PreBreach vendor risk rating, the result of a deep-view into the
metrics driving cyber exposures, are used to better understand the
digital hygiene of an organization and the likelihood of a future data
breach. The integration of PreBreach ratings into security processes,
vendor management programs, cyber insurance processes and risk
management tools allows organizations to avoid costly risk
assessments, while enabling businesses to understand its risk posture,
act quickly and appropriately to proactively protect its most critical
information assets.
For more information, please visit:
https://www.riskbasedsecurity.com/
https://vulndb.cyberriskanalytics.com/
https://www.cyberriskanalytics.com/
https://www.yourciso.com/
More information about the BreachExchange
mailing list