Businesses and healthcare sectors hardest hit
SAN DIEGO, Calif. and PROVIDENCE, R.I. —July 18, 2017—The number of U.S. data breaches tracked through June 30, 2017 hit a half-year record high of 791, according to recent numbers released by the Identity Theft Resource Center (ITRC) and CyberScout. This represents a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016, when breaches reached an all-time record high of 1,093.
Sixty-seven percent of data breach notifications or public notices did not report on the number of records impacted, an all-time record high that represents an increase of 13 percent over the first half of 2016 and a major hike over the 10-year average of 43 percent. To assess the impact of data breaches on employees and consumers, industry observers require accurate information about the number of records, which often include pieces of personal information such as names, Social Security numbers, financial account information, addresses, email addresses, phone numbers, dates of birth and other keys to identity theft. Current regulations don’t require this level of detail from most businesses.
The Medical/Healthcare industry stands apart when it comes to reporting most fully on the number of records compromised, due in part to mandatory reporting for healthcare industry breaches that impact 500 or more individuals. For the first half of 2017, 81.5 percent of the breaches reported to Health & Human Services included the number of records, equal to the first half of 2016. It should be noted that breaches in the Medical/Healthcare sector involving employee information, and not Protected Health Information (PHI), do not need to be reported under the HITECH Act.
“We have made progress in transparency regarding data breach notifications but this only goes so far when we do not have complete information. The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts,” said Eva Velasquez, ITRC President and CEO.
Said Adam Levin, Chairman of CyberScout, the report’s sponsor: “Because breaches have become ubiquitous, it is incumbent upon organizations that suffer a compromise to be candid and provide as much information as possible, so that consumers will have the best opportunity to mitigate their personal consequences. While many businesses don’t necessarily have a handle on the depth and breadth of a breach, they could well be judged by customers, employees, regulators and the courts on how well they protected the information they stored as well as the urgency, transparency and empathy with which they responded once they were aware they had been hacked.”
Since 2005, the ITRC has identified data breaches in five industry sectors: financial (including banking and credit); health/medical; government/military, education and business. So far in 2017, the business sector continues to top the list at 54.7 percent of the total breaches, followed by the healthcare/medical industry at 22.6 percent. The education sector ranks third at 11 percent of the total breaches followed by the Banking/Credit/Financial industry at 5.8 percent and the government/military at 5.6 percent.
Hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017. To date, 63 percent of the overall breaches involved hacking as the primary method of attack, an increase of 5.0 percent over 2016 figures. This was followed by Employee Error/Negligence/Improper Disposal/Lost at 9.0 percent and Accidental Web/Internet Exposure at nearly 7 percent, both reflecting decreases from 2016 figures.
Within the hacking category, phishing was involved in nearly half (47.7 percent) of these attacks. Ransomware/malware, newly added in 2017, was present in 18.5 percent of the hacking attacks.
Said Matt Cullina, CEO of CyberScout, the report’s sponsor, “Cyber attacks that target businesses are continuing to rise, as hackers aim to steal the most sensitive personal data and demand payoffs in crippling ransomware attacks. All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”
The bad news for consumers: cyber criminals are intent on stealing their Social Security numbers, the most effective route to identity theft. Going hand in hand with the spearphishing attacks, which often target employee payroll information, is the exposure of Social Security numbers (SSN). During the first half of 2017, 60 percent of the breaches involved the exposure of SSNs, down only slightly from the first half of 2016 (at 61 percent).
The exposure of credit/debit cards in the first half of 2017 rose slightly over 2016 figures, at 12.6 percent and 9.6 percent respectively. Several high profile data breaches in the hospitality and fast food sectors have contributed to this increase. Again, the number of records actually exposed in these incidents have not been reported.
About the Identity Theft Resource Center
Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. The ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: http://www.idtheftcenter.org
As the industry leader for over 13 years, CyberScout has been setting the gold standard for identity and data defense services – from proactive protection and education to successful resolution. Formerly IDT911, CyberScout combines boots-on-the-ground experience with high-touch personal service to help commercial clients and individuals minimize risk and maximize recovery. To learn more, visit www.cyberscout.com.