U.S. Data Breaches Rose in 2019, but Many Details Remain in the Shadows

The Identity Theft Resource Center (ITRC) recently published its 2019 End-of-Year Data Breach Report. Now in its fifteenth year, the report tallies the total number of publicly notified data breaches that affected U.S. organizations and their customers in 2019.* Some of the findings reveal positive trends:

• About 50% fewer records were exposed overall in 2019 compared to 2018.
• Exposure of consumers’ personally identifiable information (PII) dropped 41% year over year, and sensitive PII exposure was down 65%.

But, as you might imagine, most of the news was not positive:

• The total number of data breaches rose 17% year over year, leading the ITRC to categorize 2018’s drop as a “blip.”
• Breaches related to unsecure databases increased significantly. Though many organizations failed to password-protect cloud-based databases in 2019, the ITRC doesn’t place all the blame on those security oversights. The report also calls on cloud providers to step up minimum security requirements for their customers.
• Credential stuffing “has exploded since 2018,” according to the ITRC. In these attacks, threat actors use stolen information to automate login attempts on multiple accounts. These attacks shine light on the value of usernames, passwords, and other pieces of PII that the ITRC currently categorizes as “non-sensitive records.” The issue is only exacerbated by password reuse among end users, a practice 32% of U.S. workers admitted to in a recent survey for our State of the Phish report.
• A year after raising the alarm about its 2018 findings, the ITRC again called out the role of third-party contractors in data breaches. The report cautions that “accidental and malicious data events continued to expose both sensitive and non-sensitive data in 2019.”

Following, we look at a few more of the key findings from the report—including the unknown data that is leaving many U.S. consumers in the dark.

Breach Totals by Industry

Breach Totals by Method

As you look down the list of methods below, one thing is likely to stand out: the role of end users—including IT and other more “technically minded” workers. It’s critical that organizations not lose sight of the roles that people play in preventing the mistakes and avoiding the attacks that lead to data breaches.

While the report does not specify the number of non-sensitive records exposed by each method, it does note that Hacking/Intrusion led to the exposure of 81% of non-sensitive records (nearly 570,000,000).

These figures indicate that a people-centric approach is more critical than ever, as threat actors increasingly target people and attempt to take advantage of human behaviors. Our 2020 State of the Phish report revealed that 65% of U.S. organizations experienced a successful phishing attack in 2019. Those email-based attacks resulted in the following impacts:

• Credential/account compromise: 60%
• Loss of data: 54%
• Ransomware infection: 51%
• Financial loss/wire transfer fraud: 37%
• Other malware infection: 36%

The Role of Paper in Breach Totals

The ITRC tracks the source of exposure (electronic or paper) for each breach. It’s likely not surprising to learn that the vast majority of 2019 incidents were tied to electronic compromise. Only about 7% of the 1,473 breaches were classified as a “Paper Data” breach.

What’s interesting, however, is that nearly 80% of those Paper Data exposures happened within Healthcare/Medical organizations. As we’ve cautioned before, healthcare organizations absolutely need to think beyond the inbox when it comes to safeguarding protected health information (PHI).

What Information Lurks in the Shadows?

We’ve said it before, but we’ll say it again: fear of the unknown is quite valid when it comes to data breach reporting. In many cases, we simply do not know the full extent of exposure.

The report states: “If the number of records is not made publicly available, ITRC will note that in the report as ‘unknown’ indicating we do not have the specifics of the actual number impacted.” That was the case with 520 (about 35%) of the breaches identified in the report.

The report acknowledges that the actual number of records may have been disclosed to another entity—such as law enforcement officials or a government agency. However, the data was “not provided in the information available to the ITRC.” Which leads us to a further discussion: disclosure.

The ITRC follows a specific process for reporting on public U.S. data breaches. The organization considers a breach “public” when it meets one of the following criteria:

1. It’s published by a “credible source” (such as a U.S. Attorney General’s office or an “established” TV, radio or news media outlet)
2. A potential victim receives a breach notification letter

Which leaves us wondering about the U.S. breaches that lie outside of those criteria, in the land of the undisclosed. And that’s most likely where they reside, close to the vests of those who know about them but don’t want to talk about them publicly. The ITRC points to the vast disparity in reported breaches between the U.S. and the European Union (EU) as proof of this:

[M]ore than 10,000 data breaches and data exposures have been publicly reported in the U.S. since 2005. Contrast that with the more than 160,000 data breaches reported in the European Union since May 2018. The difference is the EU has a strong data privacy and cybersecurity law that mandates reporting to government officials. The U.S. does not.

Advice on Bringing More Data to Light

We agree with the ITRC’s stance that all involved parties need to work to reduce data breaches and give affected parties more visibility into compromised data. The report highlights three key areas for improvement:

• Greater transparency when breaches happen – The ITRC calls upon organizations to abandon broad data categorizations—like “employee records” and “financial information”—when describing breached records. The report notes that these types of classifications “have long ceased to be helpful,” and have hampered more specific analysis of incidents. Organizations are also urged to share hard numbers and more information about root causes of breaches. The ITRC states that improvements in disclosure will help infosec teams better prepare for and defend against attacks, as well as help security experts better gauge the risks associated with future incidents.

• More government involvement – According to the report, policymakers should make more of an effort to offer protections and incentives to breached organizations that share information about their incidents. Organizations should be able to disclose their findings, the ITRC says, “without fear of complicating the legal and regulatory actions that follow many data breaches.” The report also stresses the need for government entities to continue to develop frameworks that support data and cybersecurity. It also encourages organizations to be more mindful of the data they collect and store, and urges all entities to dedicate more time and effort to supporting identity theft victims.
• Increased attention by consumers – People also have an important role to play in data protections, the ITRC says. It cautions against prioritizing convenience over security, stating, “Frictionless engagement doesn’t equal consumer-first security.” Consumers need to demand improvements from the organizations they deal with—but they also need to take charge of their own behaviors and “ensure they are being as security-conscious as possible.”

* Per the year-end report: “The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed in the cumulative annual total.”