2018 US Data Breach Statistics: Plenty of Ghosts in the Graveyard

The latest Data Breach Report by the Identity Theft Resource Center (ITRC) offers a year-to-date tally of confirmed data breach notifications affecting US organizations and their customers in 2018.* The totals as of October 3 — 932 breaches and more than 47.2 million records exposed — are well behind the record-breaking numbers of October 2017, which saw more than 171 million records exposed by month’s end. However, the current numbers rival 2016 year-end totals (1,039 breaches and just over 36.6 million records exposed). So, not the worst ever … but not good, either.

Below, we note the report’s highlights (or lowlights, as the case may be) as well as findings gleaned from further analysis of the data. Again, as we saw in our 2017 analysis of ITRC data breach statistics, the true number of records exposed in a breach is often unknown. It’s these unknown numbers that should strike fear in the heart of any US consumer who is concerned about data privacy.

Year-to-Date Data Breaches: Ogres and Apparitions Dominate

The ITRC tracks and categorizes breaches in five categories:

1. Banking/Credit/Financial
2. Business
3. Educational
4. Government/Military
5. Medical/Healthcare

The following table shows the data breach statistics for September 2018 alone, as well as year-to-date numbers for each category.

Source: ITRC, September 2018 Data Breach Stats Summary and September 30, 2018 Data Breach Report, each with data through October 3, 2018

The ITRC also reports the source of exposure (electronic or paper data) for each breach. As might be expected, the vast majority of incidents so far this year have been tied to electronic compromise, with only 6% classified as a “Paper Data” breach.

The Ogres: Monster Breaches Drive Numbers Higher

In analyzing the US data breaches identified through October 3, one thing is clear: Mega breaches — those with one million or more records compromised — and near-mega breaches account for the vast majority of data exposure so far this year.

• Seven of the breaches identified by the ITRC qualify for “mega” status, exposing between 1.4 million and 14 million records. Though these breaches represent less than 1% of the 932 total breaches, they account for 66% of the 47.2 million records exposed.
• Eighteen breaches — 2% of the total — exposed 500,000 or more records, accounting for 83% of the total exposures.
• Twenty-six breaches exposed more than 250,000 records. This represents just 3% of the breach total but 89% of the total records exposed.

The Apparitions: They’re There, But We Can’t Quite See Them

As we first discussed in last year’s analysis of ITRC data, the fear of the unknown is quite valid when it comes to data breach reporting. The lack of visibility into the true number of records exposed by many identified breaches leads us to conclude that the numbers tallied each year are merely ghosts of the actual totals.

As the ITRC notes in its report, “If the number of records is not made publicly available, [we] will note that in the report as ‘unknown,’ indicating we do not have the specifics of the actual number impacted.” In the September 2018 year-to-date tally, we counted 429 incidents in which the ITRC classified the number of reported records as unknown — 46% of the 932 total breaches reported. That means consumers, clients, and even employees may be unaware of the extent of nearly half of breaches experienced by US organizations in 2018 and, as such, may not have a clear sense of how much information has been compromised.

And there are certainly more hidden figures. The ITRC only reports on confirmed, “public” US breaches that meet at least one of the following two criteria (leaving us to simply speculate on the number of incidents that lurk outside of those criteria):

1. Publication of the breach by a “credible source” (such as a US Attorney General’s office or “established” TV, radio, or news media)
2. Receipt of a notification letter by a potential breach victim

Why does so much US data breach information remain in the shadows? Inconsistent breach notification requirements are a contributing factor. Although all 50 US states have data breach notification laws, they vary on everything from definitions of what constitutes personally identifiable information (PII), to the thresholds that trigger the need for disclosure, to the breached organization’s obligations to affected parties.

The lack of a federal mandate means that requirements vary across the country, which keeps organizations guessing and leaves citizens’ data on unequal footing. As US Representative Jim Langevin told The Washington Post, “Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach affecting personally identifiable information they control.

“This is bad for business and bad for consumers, who are treated differently depending on where they live,” he added.
 

* Per the September 30 report: “The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed in the cumulative annual total.”

** Per the ITRC’s Monthly Breach Report: September 2018, the number of records exposed for each of the two Banking/Credit/Financial data breaches is unknown, not zero.