2017 Annual Data Breach Year-End Review

Executive Summary

The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center® (ITRC) and CyberScout®. The Review indicates a drastic upturn of 44.7 percent increase over the record high figures reported for 2016.

“We’ve seen the number of identified breaches increase as a result of industries moving toward more transparency,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “We want to encourage businesses and government entities to continue to provide timely reports to their respective Attorney Generals so consumers can be better informed on what are the immediate and long-term impacts to their personal information by any given data breach.”

Of the five industry sectors that the ITRC tracks, the business category again topped the ITRC’s Data Breach List list for the third year in a row with 55 percent of the overall total number of breaches (870). This marks the eighth time since 2005 that the number of breaches for this sector has surpassed all other industries. The Medical/Healthcare industry followed in second place with 23.7 percent of the overall total number of breaches (374). The Banking/Credit/Financial sector rounds out the top three with 8.5 percent of the overall total (134). This is only the second time since 2005 that the Banking/Credit/Financial sector has ranked in the top three industry categories. (See multi-year summary) The remaining two sectors, Educational and Government/Military, represented 8 percent and 4.7 percent respectively.

“Year after year we continue to use the Annual Data Breach Year-End Review as a tool to further glean trends about the state of data breaches, or to confirm what we already know about them,” said Matt Cullina, CEO of CyberScout. “With the business sector being strongly impacted, now more than ever it’s important for organizations of all sizes to not only be prepared for a data breach, but to also be taking proactive steps to plan for the inevitability.”

Hacking dwarfs all other methods of data compromise totaling almost 60% of all breaches

The method of exposure is a critical category when determining the level of harm potentially associated with a data breach. Hence, ITRC captures seven different types of attacks: hacking (with subcategories of phishing, ransomware/malware and skimming), unauthorized access, insider theft, data on the move, accidental exposure, employee error/negligence/improper disposal/loss, and physical theft.

Hacking continues to rank highest in the type of attack, at 59.4 percent of the breaches, an increase of 3.2 percent over 2016 figures: Of the 940 breaches attributed to hacking, 21.4 percent involved phishing and 12.4 percent involved ransomware/malware. Unauthorized Access, which was newly added as a method of attack in 2016, represented nearly 11 percent of the overall total of breaches for a 3.4 percent increase over 2016 figures. Unauthorized Access is defined as breaches which involve some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking.

Hacking incidents had a significant impact on the Business sector this year, with nearly 40 percent of the breached businesses identifying this type of attack as the cause for the breach. On the other end of the spectrum, the Government/Military sector was far less impacted with only 1.3 percent of the total breach occurrences being attributed to hacking.

The Appeal of Credit and Debit Card Numbers Continues to Increase Year Over Year

Nearly 20 percent of breaches included credit and debit card information, a nearly 6 percent increase from last year. The actual number of records included in these breaches grew by a dramatic 88 percent over the figures we reported in 2016. Despite efforts from all stakeholders to lessen the value of compromised credit/debit credentials, this information continues to be attractive and lucrative to thieves and hackers.

Social Security Numbers are even more widely available.

While the debate regarding the use of the Social Security Number as an authenticator continues, it must be called out that with multiple exposures of millions of SSNs they should no longer serve as a primary authenticator. Throughout 2017, there were 830 data breach incidents involving Social Security numbers, representing more than half of the total reported number of breaches. As a result of these breaches, nearly 158 million SSN’s were exposed or 88 percent of the total number of records exposed.

The number of exposed records in this report represents the minimum number and should be viewed as such. A significant percentage of the available data breach notification letters (36.7 percent) fail to include the number of exposed records, hence the ITRC’s consistent call for more transparency and accuracy in notification letters. Progress is being made, however, as this represents an improvement over 2016 when more than half the notifications did not include the number of exposed records.

“Understanding the type of personal information that has been exposed is absolutely critical for affected consumers.” said Karen Barney, Director of Program Support for the ITRC. “While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks.