Millions of Payment Cards and Social Security Numbers Exposed
What do Aetna, Anthem, Chipotle, Dow Jones, Equifax, Forever 21, Hyatt Hotels, Kmart, Sabre, Trump Hotels, VeriFone, Verizon and Whole Foods Market have in common?
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
All suffered and disclosed a data breach in 2017. And they weren’t the only ones.
In fact, the Identity Theft Resource Center, a U.S. non-profit organization set up to help ID theft victims, reports that in 2017, the number of U.S. data breaches reached an all-time high.
In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn’t reflect every U.S. data breach last year. Rather, it’s a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states, if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).
Hardest Hit: Business Sector
A new report from ITRC, sponsored by identity theft monitoring service CyberScout, finds that out of all 1,579 breaches, most hit the business sector:
- Business: 55 percent;
- Medical/healthcare: 24 percent;
- Banking/credit/financial: 9 percent;
- Education: 8 percent;
- Government/military: 5 percent.
Of the 179 million records exposed last year, nearly 158 million were Social Security numbers, accounting for 88 percent of all exposed records, according to ITRC. Nearly 20 percent of breaches resulted in credit and debit card information being exposed.
Top Breach Vector: Hacking
Most breaches were the result of hack attacks, ITRC’s research determined.
Here’s a breakdown of how information got exposed in 2017:
- Hacking: 60 percent, including phishing (21 percent), malware/ransomware (12 percent) and skimming (2 percent);
- Unauthorized access: 11 percent; ITRC says this category involves “some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking”;
- Employee error, negligence, improper disposal or loss: 10 percent;
- Subcontractor, third party or business associate: 8 percent;
- Accidental exposure: 6 percent;
- Insider theft: 5 percent;
- Physical theft: 5 percent;
- Data on the move: 2 percent.
Caveat: 37 percent of breach notifications fail to quantify the number of records – such as Social Security numbers and payment card data – that was exposed, ITRC reports.
Still, that’s an improvement from previous years, Eva Velasquez, ITRC’s president and CEO tells Information Security Media Group. “It is getting better,” she says. “We’re seeing more transparency from companies, including the actual number of records impacted.” In 2017, 13.7 percent more organizations released such information than did so in 2016.
More Information: Better
In general, releasing more details to victims is always better. “Understanding the type of personal information that has been exposed is absolutely critical for affected consumers,” says Karen Barney, the ITRC’s director of program support (see Data Breach Notifications: What’s Optimal Timing?).
“While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks,” Barney says.