[BreachExchange] 3, 813 breaches were reported through June 30, exposing over 4.1 billion records

Destry Winant destry at riskbasedsecurity.com
Mon Aug 19 10:05:30 EDT 2019


The number of reported breaches has gone up by 54% and the number of
exposed records by 52% compared to the first six months of 2018
according to the 2019 MidYear QuickView Data Breach Report, released
by Risk Based Security.

The research shows that eight breaches reported within Q1 and Q2 of
2019 accounted for 3.2 billion records exposed; three of these being
among the largest breaches of all time.

“Looking over the first six months of 2019, it is hard to be
optimistic on the outlook for the year,” commented Inga Goddijn,
Executive Vice President of Risk Based Security. “The number of
breaches is up and the number of records exposed remains stubbornly
high. Despite best efforts and awareness among business leaders and
defenders, data breaches continue to take place at an alarming rate.”

The MidYear QuickView Data Breach Report tracks publicly disclosed
breaches and records exposed within 2019 so far. The key findings
state that The Business Sector accounted for 67% of reported breaches,
which continues the trend observed in the Q1 2019 report. From these
breaches, further analysis states that The Business Sector was then
responsible for 84.6% of records exposed.

When asked about her observations on this activity, Ms. Goddijn
commented, “Quarter after quarter the pattern has repeated itself. The
vast majority of incidents are attributable to malicious actors
outside an organization. Unauthorized access of systems or services,
skimmers and exposure of sensitive data on the Internet have been the
top three breach types since January of 2018. However, insider
actions, both malicious and accidental, have driven the number of
records exposed.”

Unauthorized access of systems or services, referred to as hacking in
the report, is still the number one breach type with phishing being a
tried and true first step for gaining access to systems and services.
Interestingly enough, phishing for credentials often leads to
providing attackers with access to users’ email accounts.

While the data held in email may not be as easily monetized as other
datasets, it does lead to the exposure of unusual or unexpected types
of data. Some of the more unusual data elements exposed this year
include electronic signatures, calendars, marriage certificates, and
company issued employee ID numbers.

Ms. Goddijn concluded, “While the landscape does look bleak, we have
seen bright spots this year. Some organizations are choosing to report
incidents that might have gone unreported in the past. The most recent
example of this came up just a few days ago, when Monzo Bank opted to
report customers’ account PINs being inadvertently stored in internal
logs that were accessible to their engineering teams. Once the issue
was identified, the bank had it corrected and disclosed within 5 days.
A breach is rarely good news but a fast response coupled with open
communication speaks well of the organization. We hope to see more
organizations following Monzo’s lead as the year unfolds.”

More information about the BreachExchange mailing list