2019 Could Be 'Worst Year on Record' for Data Breaches

The year 2019 is on track to be the worst year on record for data breaches, according to new numbers from cyber analytics firm Risk Based Security.

The Richmond, Va.-based firm reported that during the first quarter of the year, 1,903 publicly disclosed data compromise events occurred, exposing over 1.9 billion records. Compared to the first quarter of 2018, that represented a 56% increase in the number of reported breaches and a 29% increase in the number of exposed records. About 14% of data breaches during the first quarter of 2019 occurred in the finance and insurance sector, the report said.

“The number of data leaks – both in the form of open, unsecured services and credentials leaks — reached new levels this quarter,” Risk Based Security EVP and head of cyber risk analytics Inga Goddijn said. “Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information and unfortunately, they aren’t terribly difficult to find when you know where to look.”

Hacking the Most Common Breach Type

Of the 1,903 data breaches that occurred during the quarter, 1,615 were due to hacking, the company said.

“A particularly popular attack method evident in recent quarters is targeting user email accounts,” it noted. “Malicious actors typically phish employees or use leaked credentials to access email services. Although pilfering sensitive data is not always the attackers’ objective, such access can trigger lengthy investigations and give rise to a string of regulatory obligations.”

Email addresses were exposed in 81% of the breaches occurring during the first quarter of 2019; passwords were also exposed in 74%, according to the data. Credit card numbers, Social Security numbers and birthdays were exposed in fewer than 10% of incidents.

California reported the most data breaches (60) for the quarter, followed by Texas (52), New York (26) and Georgia (21). Florida, Illinois, Minnesota, Ohio, Pennsylvania and Washington rounded out the top 10 states.

About 15% of breached organizations were unwilling or unable to disclose how many records were exposed, the company noted.

Breaches Creating Domino Effect

“Vendors, suppliers, and key service providers can hold or process terabytes of sensitive data on behalf of their customers. When such service providers expose data, it can trigger a cascading effect whereby one event impacts the data of multiple organizations,” the study warned.

In the first quarter of 2019, 49 of those incidents occurred, Risk Based Security said. One example was a breach at a point-of-sale solutions provider that exposed the payment card details of customers of at least 15 different companies, it noted.

Disclosure Time May Depend on Discovery Method

The study also found that organizations tended to disclose their data breaches publicly about a month faster if third parties such as law enforcement, customers or fraud-monitoring services had alerted them to the breaches.

“Clearly our hypothesis, that organizations finding their own breaches will report them faster, was dead wrong this quarter,” Goddijn said. “We will be following this metric closely throughout the year. For now, it’s too early to say whether the result we found for this quarter is an outlier or a fairly typical outcome.”