You've been breached: Hackers stole nearly half a billion personal records in 2018

Companies use nebulous language to describe the nature of the breach, saying ‘other data’ or ‘employee records’ have been stolen — which makes it hard for victims to know how (and when) to react.
Silhouette of male hand typing on laptop keyboard at night
Hackers stole a record 447 million consumer records containing sensitive personal information last year.Andrew Brookes / Getty Images

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Herb Weisbaum

Hackers stole nearly 447 million consumer records containing sensitive personal information last year, according to the 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center. That’s a jump of 126 percent from 2017 (when roughly 198 million sensitive records were stolen) and a new record for the number of compromised files in a single year.

“Data breaches are now a normal, everyday occurrence," the report concluded.

While the number of U.S. data breaches dropped 23 percent from last year’s high (1,244 vs. 1,632), that’s nothing to cheer about. If breaches are down, but more records are stolen, that’s a serious problem, said Eva Casey-Velasquez, ITRC’s president and CEO.

“This is telling us that we are creating a system and processes that make it easier for the thieves to compromise,” Velasquez told NBC News. “We’re collecting and storing more and more data in single places, so that the criminals only have to commit one hack or one breach of that institution to get all of those records.”

For example: The common practice of using Facebook to log in to other platforms increases your vulnerability, the ITRC report cautioned. In one significant Facebook breach last year, hackers accessed “tokens” for 50 million accounts. These tokens keep users logged in automatically, so this one breach could allow criminals to access tens of millions of other accounts.

“The crooks are continuing to get better,” said Adam Levin, founder and chairman of CyberScout, the data security services firm that sponsored the report. “Businesses are also getting better but, unfortunately, we're in an arms race and the bad guys keep advancing faster than the good guys.”

Cyber security expert Lorrie Faith Cranor, director of Cylab at Carnegie Mellon University, is troubled, but not surprised, by the number of exposed records reported by the ITRC.

“We've always been sloppy when it comes to data security and the hackers are finding creative new ways to exploit that,” Cranor said. “We are definitely seeing attacks that focus on the human element, both at the individual level — new forms of phishing attacks — but also at the enterprise level — humans making mistakes that allow for a large-scale breach.”

The ITRC reported that a staggering 1.6 billion non-sensitive records — such as email addresses, passwords and usernames — were also exposed last year — another record.

Byers Market Newsletter

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

While it’s easy to downplay this type of breach, as many companies do when they’re hacked, it’s not as harmless as it might seem. As the ITRC report noted: “A consumer’s identity is similar to that of a puzzle, and the more accurate pieces a thief has about someone, the more they can successfully represent that person.”

Remember: For most accounts, the login is username (often our email address) and password. A stolen email address is half the information needed to break into your account. Criminals often use powerful software to “guess” the passwords associated with these stolen email addresses. If they can access a lucrative account, they can change the password, lock you out, and then steal money or sensitive information.

Having your credit card information stolen is annoying, but it can be quickly dealt with and doesn’t have any long-term consequences. If a hacker snags your medical file, it can have life-threatening repercussions.

The healthcare sector had the second largest number of breaches last year (363) that exposed nearly 10 million records, double the number from 2017. The ITRC also found that healthcare databases had the highest rate of exposure per breach.

“Medical identity theft is a very serious form of identity theft and there's no real way to prevent it after a data breach,” said Pam Dixon, executive director of the World Privacy Forum.

Criminals take the stolen medical file and change the person’s medical records to commit insurance fraud. They’ll give the victim a disease that’s expensive to treat — such as cancer or Hepatitis C — and steal the insurance payments. The victim may never know this has happened, but those bogus treatments can get added to their health file.

“You'll go to your doctor and suddenly there's all this new, fake, and incorrect information in your health file,” Dixon said. “That can create some serious problems.”

A data breach is a public relations nightmare; it can cost revenue and result in serious legal bills. So, it’s easy to see why a company might want to downplay the harm or limit the specific information shared with those affected.

“All too often, we're not getting a full understanding of what data was compromised,” ITRC’s Velasquez told NBC News. “They're using phrases like ‘and other data’ or ‘employee records’ that are somewhat nebulous in breach notifications, making it hard for victims to know how to react properly.”

The steps you take to remediate a stolen credit card number are substantially different from what you do when your Social Security number has been compromised, she noted.

“We’re calling on every industry to be transparent and thorough on those notification letters, not so we can wag our finger at you, but so we can help the people who are affected in the best ways possible,” Velasquez said.

Based on the number of massive breaches and the trillions of records that have been compromised in the last few years, it’s safe to assume that nearly every adult in America and millions of children have been breached at least once, security experts told NBC News.

“You have to assume the worst, that all of your personal information is out there already, so you are incredibly vulnerable,” said CyberScouts’s Levin. “That’s why it’s so important for people to act differently. You must minimize your risk and monitor your accounts.”

  • Always use a unique and strong password for every website and online account. That way, if there is a breach, it doesn't affect all your accounts.
  • If you have too many passwords to remember, use a password manager.
  • Keep a close eye on your financial accounts: Set automatic security alerts on your credit card and bank accounts to instantly know when transactions take place.
  • Check your accounts every week or so. If you spot something suspicious, don’t assume it’s a mistake, deal with it right away.

“Constant vigilance is the only defense,” Levin said.