The number of data breaches spiked dramatically in the first half of this year compared to previous years, according to a report from vulnerability intelligence company Risk Based Security. Its analysis found that breach numbers for the first six months of 2019 grew by 54% compared to the same period last year, while the number of exposed records grew 52%.
The growth in data breach volume bucks a trend that saw the number of breaches plateau in 2017 and 2018.
"The reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first half of 2019," the report said. "Although these tend to be relatively small events, averaging fewer than 230 records exposed per incident, these leaks have contributed substantially to the number of access credentials freely available on the Internet."
The number of records exposed in 1H 2019 (4.19 billion) may be larger than in 2018 (2.74 billion), but historical record volumes are more erratic. The first half of 2017 saw six billion records exposed, the report said.
According to the report, eight breaches within the first half of this year accounted for 3.2 billion breached records, or 78.6% of the total. Three of the breaches were among the largest of all time.
Six of the top eight breaches stemmed from misconfigured databases or web applications: Verifications.io (982 million records), First American Financial (885 million), Cultura Colectiva (540 million), two unknown organizations in India and China (275 million and 202 million, respectively) and Justdial (100 million).
Web-based breaches like these are by far the most common in terms of exposed records, accounting for 79% of total breaches in the first half of the year.
Only two of the top eight – Dubsmash's 161 million record-breach and Canva's loss of 139 million records – were down to other hacking techniques.
The number of breaches doesn't tell the whole story, either. While the first half of this year yielded more breaches than ever before, the majority had a moderate to low severity score and exposed 10,000 records or fewer.
The type of data stolen also plays a part. Email addresses and passwords are still the primary records stolen, present in 70% and 65% of stolen data sets, respectively. These can be used for credential stuffing when shared across multiple sites, but they can also be changed, the report points out.
More critical data was less commonly stolen. Addresses, credit card and Social Security numbers were only stolen in 11% of attacks, with account numbers only showing up in 10%.