In the first nine months of 2017 there were 3,833 publicly disclosed breaches that exposed more than seven billion records. Risk Based Security’s Data Breach QuickView Report found that the five largest breaches in 2017 exposed approximately 78.5% of all records exposed in the year to date. From July, the number of breaches steadily increased and reached a monthly high of 600 incidents in September alone.
Of the 1,465 breaches reported in Q3, Equifax and Yahoo by far received the most publicity because of the sheer severity of their breaches.
Inga Goddijn, executive vice president of Risk Based Security, said:
The events at Equifax dominated the news in Q3 – and rightly so. The breach stands out for so many reasons, ranging from the sheer size of the data loss to the poor handling of the response. But the attention masked several other events such as the Sonic and Piriform compromises that, in any other month, would be high profile breaches in their own right.
- Compared with the same period in 2016, the number of reported breaches has increased by 18.2%, and the number of leaked records is up 305%.
- The number of breaches in 2017 that have exposed more than one million records stands at 69.
- Five 2017 breaches have now been added to the ‘Top 10 List of All Time Largest Breaches’.
- 6% of breaches involved US entities and are responsible for around 29.3% of exposed records.
- 1% of reported breaches were due to hacking.
- The business sector accounted for the majority of reported breaches (43.9%), followed by unknown (33.9%), medical (8.5%), government (8%), and education (5.8%).
Over the past few years, quarter after quarter, we have seen how popular it is to target account credentials. However, in the first half of 2017, it was one of the few times that we saw usernames, email address and passwords fall out of the top spots of data types most compromised. That trend has faded and once again, we’re seeing access credentials return as the most exposed data types.
While we are tracking more data breaches, we are seeing the severity skew lower in Q3 compared to the first half of the year. It’s a trend we hope to see continue for the remainder of the year.
According to Goddijn, “one of the bigger factors, where organizations fall short, is not making security a part of their ordinary everyday operations.” This is something that needs to be addressed and fast. Also often overlooked is including employees within cybersecurity strategies. The best solution for doing so and engaging with them is via a staff awareness program.
Using training, tools, and thought-provoking activities, organizations can raise staff awareness of the daily cyber risks they face, and suggest actions and procedures to minimize such risks. For maximum success, this should be an ongoing process from initial induction that continues with updates when appropriate throughout the year.