Unauthorized Access the Top Method for Data Breaches

For the first time since adding the category in 2016 the San Diego-based Identity Theft Resource Center’s monthly report revealed unauthorized access as the most commonly used method for breaching entities.

Unauthorized access represented 32% of the total breaches in April and was the primary method of breach for the banking (33%), medical (38%) and education (100%) sectors.

Hacking was the next most commonly used method at 20% of the total breaches down 12% from March. Although down, hacking was the number one method of breach for the business sector, affecting 40% of the entities breached. Rounding out the top three categories were accidental web/internet exposure (16%). Though it did not make the top three, the employee error/negligence/improper disposal/lost incident category was the number one method of breach for the government sector, at 50% of entities breached.

Because the growth in the number of breaches identified as unauthorized access can also receive a hacking designation the ITRC is looking into how to evaluate the commonly used phrase as defined by the companies who use it. In their breach letters, companies sometimes state “unauthorized persons gained unauthorized access” and “account[s] had been accessed by an unknown and potentially unauthorized user.” The lack of detailed information in many data breach notification letters makes it difficult to clearly ascertain how companies distinguish between “unauthorized access” and “hacking”. “At this time, to appropriately categorize the type of breach, we defer to the language used in the breach letters,” the ITRC stated.

The Medical/Healthcare sector was the hardest hit by breaches in April, for the first time in well over a year, accounting for 38% of the total breaches; up 12% compared to March. The business sector, hit almost as hard at 36% of the total breaches saw a significant drop (10%) compared to the breaches reported in March.

The breach of Hudson Bay Company, which affected high profile stores Saks Fifth Avenue, Saks Off 5th and Lord & Taylor began as early as July 2017. The breach was a result of malware inserted into the cash register systems and captured payment card information including name, card number and expiration date for nearly five million customers.

The breach of Panera, through its website panerabread.com, affected an untold number of consumers. This incident was a result of leaked customer on the internet starting in August 2017. The breach, which did not expose sensitive personal identifying information (PII), did compromise names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number for those who had placed orders online. ITRC noted the most troubling aspect to the Panera breach is the website did not come down until April 2018 – eight months after the discovery of the breach.

Online chat services provider [24]7.ai reported a data breach incident that affected the online customer payment information of several widely known and used nationwide clients. The list of companies impacted by this breach incident include Delta, Sears/Kmart, Best Buy, and W.W. Grainger. The ITRC data breach list includes [24]7.ai as a single breach impacting multiple entities.