U.S. data breaches increased at record pace during first half of 2017

The number of data breaches in the United States tracked through June 30 hit a half-year record high of 791, according to recent numbers release by the Identity Theft Resource Center (ITRC) and CyberScout, a provider of identity protection solutions.

The half-year record represents a “significant jump” of 29% over 2016 figures during the same time period, CyberScout said in a press release last week. “At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 per cent annual increase over 2016, when breaches reached an all-time record high of 1,093,” the identity protection solutions company said.

Sixty-seven per cent of data breach notifications or public notices did not report on the number of records impacted, an all-time record high that represents an increase of 13% over the first half of 2016 and a major hike over the 10-year average of 43%. To assess the impact of data breaches on employees and consumers, industry observers require accurate information about the number of records, which often include pieces of personal information such as names, social security numbers, financial account information, addresses, email addresses, phone numbers, dates of birth and other keys to identity theft. Current regulations don’t require this level of detail from most businesses, CyberScout noted.

“We have made progress in transparency regarding data breach notifications but this only goes so far when we do not have complete information,” said Eva Valasquez, ITRC president and CEO, said in the release. “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”

By industry, the medical/healthcare sector “stands apart” when it comes to reporting most fully on the number of records compromised, due in part to mandatory reporting for healthcare industry breaches that impact 500 or more individuals, the release said. For the first half of 2017, 81.5% of the breaches reported to the United States Department of Health & Human Services included the number of records, equal to the first half of 2016.

Since 2005, the ITRC has identified data breaches in five industry sectors: financial (including banking and credit); health/medical; government/military; education; and business. So far in 2017, the business sector continues to top the list at 54.7% of the total breaches, followed by the healthcare/medical industry at 22.6%. The education sector ranks third at 11% of the total breaches followed by the banking/credit/financial industry at 5.8% and the government/military at 5.6%.

Hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017, CyberScout reported. To date, 63% of the overall breaches involved hacking as the primary method of attack, an increase of 5% percent over 2016 figures. This was followed by employee error/negligence/improper disposal/lost at 9% and accidental web/Internet exposure at nearly 7%, both reflecting decreases from 2016 figures.

Within the hacking category, phishing was involved in nearly half (47.7%) of these attacks. Ransomware/malware, newly added in 2017, was present in 18.5% of the hacking attacks.

“Cyberattacks that target businesses are continuing to rise, as hackers aim to steal the most sensitive personal data and demand payoffs in crippling ransomware attacks,” said Matt Cullina, CEO of CyberScout, the report’s sponsor. “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

For consumers in the U.S., the “most effective route” to identity theft is through social security numbers, the release pointed out. Going hand-in-hand with the spearphishing attacks, which often target employee payroll information, is the exposure of social security numbers. During the first half of 2017, CyberScout reported, 60% of the breaches involved the exposure of social security numbers, down only slightly from the first half of 2016 (at 61%).

The exposure of credit/debit cards in the first half of 2017 rose slightly over 2016 figures, at 12.6% and 9.6% respectively, with several high profile data breaches in the hospitality and fast food sectors contributing to the increase. The number of records actually exposed in these incidents have not been reported.

“Because breaches have become ubiquitous, it is incumbent upon organizations that suffer a compromise to be candid and provide as much information as possible, so that consumers will have the best opportunity to mitigate their personal consequences,” said Adam Levin, chairman of Cyberscout, in the release. “While many businesses don’t necessarily have a handle on the depth and breadth of a breach, they could well be judged by customers, employees, regulators and the courts on how well they protected the information they stored as well as the urgency, transparency and empathy with which they responded once they were aware they had been hacked.”