[BreachExchange] Over 5, 200 Data Breaches Make 2017 An Exceptional Year For All The Wrong Reasons

Inga Goddijn inga at riskbasedsecurity.com
Tue Feb 6 11:45:38 EST 2018


Risk Based Security today announced the release of the 2017 Data Breach
QuickView Report
showing that once again, the record has been broken for both the most
breaches and the most data compromised in a year. There were 5,207 breaches
recorded last year, surpassing 2015’s previous high mark by nearly 20%. The
number of records compromised also surpassed all other years with over 7.8
billion records exposed, a 24.2% increase over 2016’s previous high of 6.3


“The level of breach activity this year was disheartening”, commented Inga
Goddijn, Executive Vice President for Risk Based Security. “We knew things
were off to a bad start once the phishing season for W-2 data kicked into
high gear. But by the time April 18th came and went, breach disclosures
leveled off and we went into summer hopeful the worst was behind us.
Unfortunately, that wasn’t the case.”

The increased level of breach activity has been observed by the cyber
insurance industry as well. Manny Cho, EVP at Risk Placement Services, a
national insurance brokerage and sponsor of the Year End QuickView Report
added, “the use of malware and ransomware such as WannaCry and NotPetya
impacted companies and individuals across the globe. While large breaches
continue to grab the headlines, SMEs are losing money and assets to hacker
organizations every day thanks to increased phishing and spoofing attacks.”

In addition to the number of breaches and amount of data lost, 2017 stood
out for another reason. For the past eight years, hacking has exposed more
records than any other breach type. In 2017, breach type Web – which is
largely comprised of accidentally exposing sensitive data to the Internet –
took over the top spot compromising 68.8% or 5.4 billion records. Hacking
still remained the leading breach type, account for 55% of reported
incidents, but its impact on records exposed fell to the number two spot,
with 2.3 billion records compromised. For the first time since 2008,
inadvertent data exposure and other data mishandling errors caused more
data loss than malicious intrusion into networks.

“We’re seeing a lot of interest in calling out organizations that mishandle
sensitive data”, said Ms Goddijn. “Several of the security researchers that
are actively engaged in searching for exposed datasets are no longer
willing to keep their findings confidential. Likewise, more individuals are
calling out breaches when they discover their own data is exposed.”

A prime example of this is the August breach impacting 11,887 Aetna members
An unnamed mail processing vendor working for Aetna sent letters to HIV
patients, informing them of changes to the prescription fulfillment
process. Unfortunately the lettershop used envelopes with an especially
large glassine window, exposing highly sensitive HIV status information.
The breach was brought to light by a letter recipient – triggering both
civil lawsuits and an investigation by the New York Attorney General and
ending with Aetna agreeing to pay $18.3 million in order to settle the
various proceedings. While this is an extreme example, 2017 saw many other
situations where customers, clients and unrelated third parties discovered
the problem and chose to take action.

Comparing the number of breaches discovered internally to the number of
breaches found by outsiders highlights one dynamic behind the trend. Of the
3,904 breaches with a confirmed discovery method, only 728 or 18.6%, were
discovered by the organization responsible for protecting the data. The
remaining 3,176 were found by law enforcement, external fraud detection or
monitoring, customers, or unrelated parties including disclosure by the
malicious actors themselves. While there is not a direct correlation
between discovery method and and interest in publicizing breach activity,
this data does show that the majority of breaches still go undetected by
the compromised organization.

Risk Based Security has been capturing and aggregating data breach events
for well over a decade. The resulting wealth of breach data coupled with
actionable security ratings for organizations has made Risk Based Security
a leader in vendor risk management, cyber insurance and risk modeling. For
more information, contact Risk Based Security at 855-RBS- RISK or visit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180206/31718896/attachment.html>

More information about the BreachExchange mailing list