US data breaches surge, businesses and healthcare organizations hit hardest
The number of US data breaches tracked through June 30, 2017 hit a half-year record high of 791, according to recent numbers released by the Identity Theft Resource Center (ITRC).
This represents a significant jump of 29 percent over 2016 figures during the same time period. At this pace, ITRC anticipates that the number of breaches could reach 1,500 in 2017, a 37 percent annual increase over 2016, when breaches reached an all-time record high of 1,093.
Records impacted
Sixty-seven percent of data breach notifications or public notices did not report on the number of records impacted, an all-time record high that represents an increase of 13 percent over the first half of 2016 and a major hike over the 10-year average of 43 percent.
To assess the impact of data breaches on employees and consumers, industry observers require accurate information about the number of records, which often include pieces of personal information such as names, Social Security numbers, financial account information, addresses, email addresses, phone numbers, dates of birth and other keys to identity theft. Current regulations don’t require this level of detail from most businesses.
Healthcare industry
The Medical/Healthcare industry stands apart when it comes to reporting most fully on the number of records compromised, due in part to mandatory reporting for healthcare industry breaches that impact 500 or more individuals.
For the first half of 2017, 81.5 percent of the breaches reported to Health & Human Services included the number of records, equal to the first half of 2016. It should be noted that breaches in the Medical/Healthcare sector involving employee information, and not Protected Health Information (PHI), do not need to be reported under the HITECH Act.
“We have made progress in transparency regarding data breach notifications but this only goes so far when we do not have complete information. The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts,” said Eva Velasquez, ITRC President and CEO.
Data breaches in general
Since 2005, the ITRC has identified data breaches in five industry sectors: financial (including banking and credit); health/medical; government/military, education and business.
So far in 2017, the business sector continues to top the list at 54.7 percent of the total breaches, followed by the healthcare/medical industry at 22.6 percent. The education sector ranks third at 11 percent of the total breaches followed by the Banking/Credit/Financial industry at 5.8 percent and the government/military at 5.6 percent.
Hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017. To date, 63 percent of the overall breaches involved hacking as the primary method of attack, an increase of 5.0 percent over 2016 figures.
This was followed by Employee Error/Negligence/Improper Disposal/Lost at 9.0 percent and Accidental Web/Internet Exposure at nearly 7 percent, both reflecting decreases from 2016 figures.
Within the hacking category, phishing was involved in nearly half (47.7 percent) of these attacks. Ransomware/malware, newly added in 2017, was present in 18.5 percent of the hacking attacks.
The bad news for consumers: cybercriminals are intent on stealing their Social Security numbers, the most effective route to identity theft. Going hand in hand with the spearphishing attacks, which often target employee payroll information, is the exposure of Social Security numbers (SSN). During the first half of 2017, 60 percent of the breaches involved the exposure of SSNs, down only slightly from the first half of 2016 (at 61 percent).
The exposure of credit/debit cards in the first half of 2017 rose slightly over 2016 figures, at 12.6 percent and 9.6 percent respectively. Several high profile data breaches in the hospitality and fast food sectors have contributed to this increase. Again, the number of records actually exposed in these incidents have not been reported.