For the first time since adding the category in 2016 the San Diego-based Identity Theft Resource Center's monthly report revealed unauthorized access as the most commonly used method for breaching entities.

Unauthorized access represented 32% of the total breaches in April and was the primary method of breach for the banking (33%), medical (38%) and education (100%) sectors.

Hacking was the next most commonly used method at 20% of the total breaches down 12% from March. Although down, hacking was the number one method of breach for the business sector, affecting 40% of the entities breached. Rounding out the top three categories were accidental web/internet exposure (16%). Though it did not make the top three, the employee error/negligence/improper disposal/lost incident category was the number one method of breach for the government sector, at 50% of entities breached.

Because the growth in the number of breaches identified as unauthorized access can also receive a hacking designation the ITRC is looking into how to evaluate the commonly used phrase as defined by the companies who use it. In their breach letters, companies sometimes state “unauthorized persons gained unauthorized access” and “account[s] had been accessed by an unknown and potentially unauthorized user.” The lack of detailed information in many data breach notification letters makes it difficult to clearly ascertain how companies distinguish between “unauthorized access” and “hacking”. “At this time, to appropriately categorize the type of breach, we defer to the language used in the breach letters,” the ITRC stated.

The Medical/Healthcare sector was the hardest hit by breaches in April, for the first time in well over a year, accounting for 38% of the total breaches; up 12% compared to March. The business sector, hit almost as hard at 36% of the total breaches saw a significant drop (10%) compared to the breaches reported in March.

The breach of Hudson Bay Company, which affected high profile stores Saks Fifth Avenue, Saks Off 5th and Lord & Taylor began as early as July 2017. The breach was a result of malware inserted into the cash register systems and captured payment card information including name, card number and expiration date for nearly five million customers.

The breach of Panera, through its website panerabread.com, affected an untold number of consumers. This incident was a result of leaked customer on the internet starting in August 2017. The breach, which did not expose sensitive personal identifying information (PII), did compromise names, email and physical addresses, birthdays and the last four digits of the customer's credit card number for those who had placed orders online. ITRC noted the most troubling aspect to the Panera breach is the website did not come down until April 2018 – eight months after the discovery of the breach.

Online chat services provider [24]7.ai reported a data breach incident that affected the online customer payment information of several widely known and used nationwide clients. The list of companies impacted by this breach incident include Delta, Sears/Kmart, Best Buy, and W.W. Grainger. The ITRC data breach list includes [24]7.ai as a single breach impacting multiple entities.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).