The number of data breaches in the U.S. jumped 29 percent in the first half of this year, hitting a record high of 791, according to a new report from the Identity Theft Resource Center and CyberScout, the data risk management company.
“Frankly, I was surprised at how significantly the number of breaches has grown,” said Eva Velasquez, ITRC’s president and CEO. “We knew this was a trend, we knew that the thieves would continue to find this lucrative, but the sheer volume of growth has been really surprising.”
Adam Levin, chairman of CyberScout, told NBC News he finds the new numbers “incredibly disturbing” and a sign that cyber security still doesn’t get the respect it deserves.
“That’s why the problem keeps getting worse and the number of breaches keeps going up and up and up,” Levin said. “Most companies in this country still have not embraced a corporate culture where privacy and security are core values.”
Why doesn't cyber security get the respect it deserves?
The ITRC/CyberScout report tracks data breaches in five categories: financial (which includes banking and credit), health/medical, government/military, education and business. The business sector continues to have the highest percentage of total breaches reported — 54.7 percent at the six-month mark.
The healthcare industry was second, and had the biggest increase from this time last year — 30.7 percent of the breaches versus 22.6 percent in 2016. The education sector (11.3 percent) was third, followed by financial (5.8 percent) and government/military (5.6 percent).
A Lack of Transparency
About 12 million records were exposed in the 791 breaches that took place during the first six months of 2017, according to the Identity Theft Resource Center’s running tally. These stolen records include banking information, credit card numbers, medical files, and Social Security numbers. And odds are that 12 million is just the tip of the iceberg.
Most industries are not required to include detailed information — the number of records compromised and the type of information that may have been stolen — in their breach notifications. And most organizations don’t. The healthcare industry is required to report fully on all breaches of 500 individuals or more.
The ITRC/CyberScout report found that 67 percent of all the breach notices released in the first half of the year did not indicate how many records had been compromised — another record high.
Pam Dixon, executive director of the World Privacy Forum, told NBC News this lack of transparency can be “dangerous” because victims need to know the potential threats posed when their personal information is compromised.
“People who are left in the dark about the details of a data breach cannot effectively protect themselves and this can have serious consequences,” Dixon said. “Breach notifications need to help, not hinder, solving the problems that data breaches can bring."
How Do They Do It?
The ITRC/CyberScout report shows that hacking is the primary method of attack, accounting for 63 percent of all data breaches to date. Employee error or negligence is to blame 9 percent of the time. This includes improper disposal of sensitive data and lost laptops or other storage devices. Accidental exposure on the web accounted for about 7 percent of the breaches.
“It doesn’t require a tremendous amount of sophistication or technical savvy to commit this type of fraud,” Velasquez told NBC News. “Criminals can simply purchase some malware through the fraud ecosystem and then do some spam, do some phishing and boom — they have all the materials they need to commit identity theft.”
What Do the Hackers Want?
Most hackers, other than those on a state-sponsored mission, want information they can use or sell. Stolen credit card numbers aren’t worth very much these days — there are so many of them available on the dark web.
Social Security numbers are worth much more because they enable identity thieves to commit various crimes by pretending to be someone else. They can open new credit and bank accounts, access brokerage accounts, commit tax fraud, get medical treatment or even apply for government benefits. And unlike a credit card account that can be quickly and easily closed, a Social Security number has an indefinite shelf life.
Health records are even more lucrative because they’re a data-rich target. Not only do they contain that all-important Social Security number, but also our medical history, date of birth, insurance information, and possibly the credit card used to cover co-pays.
“On the black market, where the bad guys sell this stuff, the value of a medical record is easily 10 times more than a credit card account number,” privacy expert Larry Ponemon, founder of the Ponemon Institute, told NBC News. “There’s definitely more value, but unfortunately, a lot of the healthcare organizations that we’ve studied have been laggards in cyber security.”
Many medical organizations don’t understand why they should be worried about getting hacked. They’re focused on patient care and may not realize the value of the data they collect.
“We’re seeing more healthcare organizations move in the right direction, but it’s a long-term project that is not happening quickly enough,” Ponemon told NBC News.
The Cost of a Breach
Data breaches can have a significant financial impact on the organization that is attacked. The average cost of a data breach in the U.S. is now a record high $7.35 million, up 5 percent from last year, according to the 2017 Cost of a Data Breach Report prepared by IBM Security and the Ponemon Institute.
The average cost of a compromised record is $225, but it’s much higher for highly regulated industries: healthcare ($380 per file) and financial services ($336 per file).
These figures include the direct costs of a breach — legal fees, notification, hiring extra staff and providing identity monitoring services — as well as the loss of business that results from it. The blow to a company’s reputation following a breach often results in customers going elsewhere.
On average, it takes more than six months (206 days) for an organization to spot an intrusion and another 55 days to contain the breach, according to the IBM/Ponemon report. That’s a big improvement from a few years ago, but still too slow, security experts say.
It takes companies an average of six months to spot an intrusion and another 55 days to contain the breach.
“The slogan says ‘time is money.’ Well, nowhere is that truer than when it comes to data breaches,” said Wendi Whitmore, Global Lead for IBM’s Incident Response and Intelligence Services. “The longer an attacker goes unnoticed, the more damage they can do. And that directly relates to the amount of financial loss the company will face.”
The cost of a breach was nearly a million dollars lower, on average, when the incident was spotted and contained in less than 30 days. Having an incident response plan in place can result in significant cost savings, the report noted.
The Bottom Line: More Needs to Be Done
Data breaches are so common now that few of them make the news. So most of us don’t realize that many of the business and government organizations we deal with are not taking the necessary precautions to protect the sensitive personal information they collect from us.
“We are facing off against fully armed and extremely persistent attackers,” CyberScout’s Adam Levin told NBC News. “And we have to recognize that any time an organization opts for convenience over security — which is the current norm — they are putting themselves, their future, and their customers and employees in harm’s way.”