Mixed Bag of Results as Breaches Are Up & Exposed Records Down in 2019
Security experts also warn members to be aware that the 2020 census is approaching and it could mean a rise in census scams.
There is bad news and good news in the “End-of-Year Data Breach Report” for 2019. While U.S. breach numbers increased, sensitive records exposed decreased. However, for financial institutions the opposite was true.
According to the research from the San Diego-based Identity Theft Resource Center — which publishes regular reports with the support of long-time sponsor identity theft resolution/data defense firm CyberScout — the number of U.S. data breaches tracked in 2019 (1,473) increased 17% from the total number of breaches reported in 2018 (1,257). However, 2019 saw 164,683,455 sensitive records exposed, a 65% decrease from 2018 (471,225,862). The 2018 Marriott data breach exposed 383 million records alone, significantly skewing the data.
For the Banking/Credit/Financial category the news was not quite as good. Although there were “only” 108 breaches (just 7.33% of total breaches) in 2019, the incidents exposed 100,621,770 sensitive records (20,000 non sensitive records) for 61.10% of the total sensitive records exposed. A big part of that damage came from the Capital One mega breach, which compromised more than 100 million records alone. In 2018, Banking/Credit/Financial category experienced 135 breaches for a total of 1,778,658 sensitive records exposed.
For the second straight year, the business sector had the most data breaches (644), while the medical/health care sector had the second most (525). The government/military sector had the fewest amount of breaches in 2019 at 83.
A number of credit unions were breached as well including Nassau Educators Federal Credit Union, Westbury, N.Y. (86,773 records), Dominion Energy Credit Union, North Chesterfield, Va. (2,662 records), Florida A&M University Federal Credit Union, Tallahassee, Fla. (2,329 records), Town & Country Federal Credit Union, Scarborough, Maine (2,030 records) and St. Anne’s Credit Union, Fall River, Mass. (55). The ITRC also listed Wescom Credit Union, Pasadena, Calif., Grow Financial Federal Credit Union, Tampa, Fla., and the Los Angeles Police Federal Credit Union with no records reported.
“The increase in the number of data breaches during 2019, while not surprising, is a serious issue,” Eva Velasquez, president/CEO of the ITRC, said. “It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.” She added because that means more consumers are becoming victims, the ITRC will continue to provide guidance on the best ways to navigate the dangers of exposed personally identifiable information from a data breach and the risks of identity crime.
“This year’s report paints a mixed view of the landscape as we continue to work with businesses and consumers alike to thwart cyber criminals and contain their damage,” Matt Cullina, CyberScout’s EVP of strategic partnerships and managing director of Global Markets, and board chair of the ITRC, said. “The overall increase in breaches is certainly concerning. However, the extraordinary drop in the number of records exposed and the incredible feat of cutting the sensitive PII exposed by two thirds, indicates that we may be moving in a good direction with regards to the extent of the damage associated with breaches.”
Another critical finding of the ITRC report was that hacking was responsible for the highest percentage of data breaches (39%) and the highest number of non-sensitive records exposed (81%). Unauthorized access was the second most common breach method identified with nearly the same percentage as hacking at 36.5%. Unauthorized access continued to be a catch-all category with little transparency on the actual method of intrusion.
The ITRC in separate blog also warned with the 2020 census approaching, and forms soon mailed, it could soon mean a rise in census scams.
“Unfortunately, there has been an increase in identity theft and fraud that masquerades as government agency communications, which could mean an increase in census scams,” the ITRC suggested. Scammers try everything from claiming the suspension of an SSN to threatening individuals with police action for unpaid taxes. They can even spoof email address or phone numbers on caller IDs to seem legitimate.
The ITRC listed some things to warn members to help them spot census scams:
- The official website for the Census Bureau is census.gov, and the specific website for the 2020 census is 2020census.gov. However, a scammer could easily buy the domain for 2020census.com or spoof their email by swapping a capital “O” for one of the zeros in the number. “Remember, caller ID and email domain names are not proof that the person is legitimate.”
- They will not call you. “If the Census Bureau tried to call every U.S. household and take their census data over the phone, we would be ready for the 2030 census before they were finished.” They will not call you and request information, no matter what the caller ID says. “They will also not email you a link to complete it online, so never click a link in an email unless you are expecting it.”
- They might come to your house, but will not request anything. “In some areas, government volunteers serving as census takers will knock on doors. However, they will not request Social Security numbers, bank or credit card numbers or any other payment information.” They will also not ask for payments for their time or for the postage on your forms, no matter what the person claims.
- The police are not coming to members’ houses. Regardless of what the person on the phone says, the police will not visit for failure to fill out the census. “The caller who claims you can simply pay some kind of fine over the phone, especially with prepaid debit cards or iTunes gift cards, is lying to you. It is a census scam.”