Will data breaches break more records in 2018?

When it comes to data breaches, no company, regardless of size, is immune.

Another year has come and gone. And it’s always a good practice to reflect on the prior year and look back at the highs and lows; what went well and what could be improved. As we look back to 2017, I am sad to report that data breaches had their best year ever.  

Before we dive into the details, let’s level set what a data breach means. A data breach is an incident or event where an individual or a business has sensitive information unintentionally exposed via electronic or paper means. The information contains Personally Identifiable Information (PII) and can be accessed, extracted, and understood. A record is compromised if the PII has been lost, stolen or exposed as a result of a data breach. PII isn’t just user names and street addresses; it also includes social security numbers, medical records, or bank and credit card accounts. Got it? Ok. Let’s look at three primary causes, break down the numbers and assess the damage.

There are three primary threat vectors that cause data breaches: malware through computer hacks and phishing attempts, accidental internet exposure, and internal employee error or theft. While it is important to patch systems, deploy endpoint security solutions as well as other security intelligence and control practices, it is even more critical to develop and execute employee training and awareness programs. Education continues to be the primary strategy necessary to protect all parties from data breaches.

According to the Identity Theft Resource Center, the industry watch dog that provides support in identity theft and awareness, and education of all things data breaches, domestically in 2017, there were 1,579 total data breaches, exposing 178,955,069 records. In comparison, 1,093 data breaches were reported in 2016, which was an all-time high, and 36,601,939 total records were exposed. That’s an increase of 389% in total records exposed year over year.

The industry most impacted by data breaches in 2017 was the Business category with over 91% of the total number of breaches, followed by Government/Military, Medical/Healthcare, Banking/Financial, and Educational respectively.  Although no sector is immune to data breaches, it’s clear that businesses were most targeted and most exposed over the last 12 months.
Some of those businesses saw a lot of negative publicity and reputational damage as a result of those data breaches. The largest of 2017 include: Equifax (145,500,000 records), America’s Joblink Alliance (5,500,000), Sonic (5,000,000),  and Dow Jones & Company (2,200,000). These are data breaches where the numbers of records exposed are estimates. When it comes to data breaches, no company regardless of size is immune. Smaller companies like Drexel University, Denver Art Museum, Cincinnati Eye Institute and North Carolina Symphony had breaches of less than 1,000 records each but still can suffer negative publicity and reputation damage just like larger companies. 

In many cases, the number of records is reported as unknown. That can occur when either the entity cannot identify an actual number of records, or if the information stolen includes things like user IDs, passwords and e-mail addresses. That type of information compromised does not usually trigger breach notification laws. It’s debatable if that really constitutes PII. Some of the data breaches reported in 2017 with the number of records exposed as unknown include companies such as Capital One, HBO, SiriusXM, Best Buy, U.S. Air Force, Humana and Whole Foods.    

When breaches occur, it could take a long time to discover, contain and resolve them. According to Verizon, over 60 percent of all data compromises take a week or more to discover. And over 65 percent of the breaches take more than a month to contain. The majority take six to 24 months to resolve. It’s not uncommon for a company to report a data breach that happened two to three years in the past and the number of records exposed to dramatically increase over time. This is what happened with the Yahoo! breaches reported in 2016. It was eventually discovered that the over 1.5 billion e-mails compromised were from two separate incidents from 2013 and 2014.

And of course, all of this mess costs money to clean up. Based on the 2017 Cost of a Data Breach Study from IBM and Ponemon, the average per capita cost of a data breach in the United States was $225 and the average total organization cost was $7.35 million. That includes everything from investigations, legal and public relations costs, consulting fees and systems.  However, this figure doesn’t include the cost of lost business. That number, which is difficult to track, could be significant. Companies lose more customers following a data breach than at any other time in the business cycle. It may sound obvious, but it’s something companies need to plan for when publicly reporting data breaches.

Some good news: help may be on the way. Due to the massive Equifax data breach and the fact that consumer social security numbers (SSNs), addresses, and credit reports were compromised, lawmakers around the country are considering taking action. Currently, most state laws don’t afford a lot of protection or legal recourse to victims and there are not a lot of mandates on controls and security measures companies should deploy if they store PII. New evaluations of laws at both the state and federal level that protect consumers and businesses are underway. There have been similar Federal bills floating around both houses of Congress for years. Many states, too, have tried over the years to pass stronger laws around data breaches. There’s no telling if any of this will go though so we will have to wait and see. At least there is a new expressed interested in doing more to protect victims and holding companies accountable.

So that’s how 2017 ended up – breaking records. And not to sound like a broken record, but 2018 is already looking like another record breaker. Based on this year’s research and activity, IBM and Ponemon estimate an average probability of 27.7 percent that organizations in their last study will have a material data breach in the next 24 months - which by the way, is another record.