[BreachExchange] Billions of records exposed: 2019 on track to be worst year ever for data breaches

Destry Winant destry at riskbasedsecurity.com
Thu Aug 22 10:00:43 EDT 2019


The number of data breaches resulting in exposed records is up by 54%
year over year in the first half of 2019, and the number of records
exposed in those breaches is up by 52%. More than 3,800 data breaches
were reported in the first six months of this year, and just eight of
those exposed more than 3.2 billion records, nearly 80% of all records
exposed so far in 2019.

In the first three months of 2019, some 1.9 billion records were
exposed in 1,903 recorded data breaches, implying that 1.4 billion
records were exposed in the second quarter. There were three breaches
in the first quarter and five in the second that resulted in the
exposure of 100 million or more records each, according to Risk Based
Security, the research and security firm that issued its 2019 Midyear
Quickview Data Breach Report Thursday morning. All told, those eight
breaches exposed 3.2 billion records.

The business sector was responsible for nearly 85% of the exposed
records and two-thirds of the reported breaches. The largest involved
the first-quarter release of nearly a billion names, email addresses
and other personally identifiable information from Verifications.io, a
firm that verifies or approves email addresses for third-party
customers. The leaked records were the result of leaving a database
unsecured and accessible to just about anyone who wanted a peek. The
good news is that no passwords or Social Security numbers were
included in the breached data.

The second-largest breach so far in 2019 was the second-quarter
exposure of personal data in 885 million records related to real
estate transactions at First American Financial. The third-largest
involved 540 million Facebook users' data exposed due to a
misconfigured database managed by Mexico-based Cultura Colectiva. All
three are among the top 10 breaches of all time based on the number of
records exposed.

Inga Goddijn, executive vice president and head of Cyber Risk
Analytics at Risk Based Security explains how they come about:

Quarter after quarter the pattern has repeated itself. The vast
majority of incidents are attributable to malicious actors outside an
organization. Unauthorized access of systems or services, skimmers and
exposure of sensitive data on the Internet have been the top three
breach types since January of 2018. However, insider actions, both
malicious and accidental, have driven the number of records exposed.

Risk Based Security noted more than 1,300 leaks in the first half of
2019 exposing email addresses and passwords. The average number of
records lost per leak was just 230. But those records remain
high-value targets for hackers: 70% of data types exposed in the first
half of this year were email addresses and 64% were email passwords.

Web-based breaches, primarily the result of leaving databases
accessible to third parties and failing to protect them, accounted for
just 149 breaches in the first six months of this year and more than
3.2 billion breached records.

More information about the BreachExchange mailing list