Last Year ‘Worst on Record’ for Breaches, Data Exposure

More than 15.1 billion records were exposed last year, a staggering 284% increase from 2018, while nearly 7,100 breaches were reported, a 1% increase — though that number is expected to climb with the discovery of more breaches.

That’s according to Risk Based Security’s 2019 Year End Data Breach Report. Last year has lived up to its reputation for being the “worst year on record” for breach activity with more breaches reported, more data exposed and more credentials dumped online, it said.

Since the release of the third-quarter report three months ago, 7.2 billion records were compromised, with just four events accounting for 93.5% of those records. Compromising the records were open and misconfigured databases made publicly accessible to anyone motivated to seek them out.

Inga Goddijn, Risk Based Security‘s executive vice president, tells us what surprises her the most is how consistent the trends have been from 2018 to 2019.

Risk Based Security’s Inga Goodijn

“The number of breaches looked bad at the end of 2018 [and] 2019 continued the deterioration,” she said. “Reports of large data sets left exposed online contributed to the volume of data exposed in 2018; the number of records exposed in 2019 was pushed to new levels due to the very same issue. The underlying problems driving data-breach activity really have not changed substantially, but the results have intensified.”

Other findings from the report include:

• Breaches at technology providers pushed the information sector to the top spot for number of breaches, followed by health care.
• Eighty-eight percent of information-sector data breaches can be attributed to software publishers, data processing and hosting services, and internet publishing.

Risk Based Security’s cyber risk analytics team analyzed 25 million unhashed passwords from email accounts affected in last fall’s Zynga breach. A breakdown of password security shows that less than 1% of passwords followed basic security requirements.

Of the passwords analyzed, Gmail users tended to have slightly more secure passwords compared to other email domains. AOL users tended to have the least secure passwords compared to other email domains.

“It’s important to keep in mind that a breach can happen at any organization, no matter how strong their security,” Goddijn said. “What an organization could or should be doing depends largely on their own risk assessment, resources available and security maturity. If an organization hasn’t performed a risk assessment, that’s a great place to start. For those further along, shifting focus to detection and response planning is a natural evolution.”

The report “certainly” does highlight the need for security expertise, she said.

“Small-to midsize organizations are especially at risk as they often do not need a full-time security team, but do need some expertise to fill the gaps,” she said. “MSSPs are one option that can help. But as mentioned earlier, a breach can happen at any organization. Including security reviews as a part of vendor due diligence is important — even when it comes to security service providers.”

It’s still early in 2020, but Goddijn said she’s optimistic for the year.

“The number of breaches reported in January is coming in below January 2019, which is a positive start,” she said. “If that continues, we should see the number of breaches back off the 7,000-plus mark. It’s still too early to say whether that would result in [fewer] records exposed. As long as sizable databases and services are left open and accessible, we’re likely to see the number of records exposed remaining very high.”