Last year was the second highest on record in terms of data breaches and leaks, with over 6500 reported, according to Risk Based Security.
The security vendor revealed that 6515 incidents were reported globally in 2018, second only in the past 12+ years to 2017’s 6728. When it came to number of records exposed, the figure of around five billion for last year came third to 2016’s 6.4 billion and 2017’s 7.9 billion.
However, the caveat is that just over a quarter of breached organizations were unwilling or unable to disclose the number of records exposed, so the figure could be much higher.
For the purposes of this study, Risk Based Security collated incidents related to traditional hacking-based breaches and increasingly common IT misconfigurations which expose records but don’t necessarily mean they’ve ended up on the dark web.
It also counted “fraud,” which is the category assigned to the Facebook-Cambridge Analytica incident which exposed 87 million social media users to the shady political consultancy.
Although hacking accounted for most breaches, the largest number of records (39%) were exposed via the web, followed by hacking (28%) and fraud (25%), highlighting just how big a problem accidental leaks are. That means insiders were responsible for way more ‘breaches’ than outsiders, roughly 2.1 versus 1.3 billion.
In terms of sectors, business accounted for the vast majority of ‘breaches’ (66%), followed by government (14%), medical (13%) and education (7%).
There were 301 incidents (5%) linked to third-party suppliers. The US accounted for the vast majority of exposed records (44%) and breaches (2264). In terms of breaches, the UK came in a distant second (144) followed by Canada (112).
Despite the advent of the GDPR, the average number of days between breach discovery and reporting did not significantly change between 2017 (48.6) and 2018 (49.6).
However, as the vendor noted, although regulators must be notified within 72-hours, the public need only be told of a breach if there is a high risk of harm, and even then “only without unreasonable delay" rather than a specified three-day window.