Announcements

Your Data Has Been Hacked! (Probably)

Introduction:

The data you entrust to third parties like colleges, your credit card processor, or data you have no control over (OPM, IRS, or other "organizations") has likely been compromised. In fact, there have been shocking data breaches reported in the last ten years. So many breaches that you may no longer really pay attention to the newest breach on the news.

The biggest breaches get the headlines, like the OPM breach that affected over 20 million federal workers. The numbers are staggering. From 2005 through 2016 (partial data), there have been 898,590,196 total records reported breached!

To make matters even worse, more than half (53%) of all breaches reported zero records breached — meaning an “unknown” number of records breached. Therefore, the total breached count is potentially much bigger than the nearly 900 breaches reported above.

These breaches happen in various ways. From hacking, unintended disclosure, fraud, insider threats, and other methods (see “Types of Breaches” below). Organizations affected run the gamut — from retail to government, financial, education, and other types.

The data in this article is from the publicly available information at https://www.privacyrights.org/data-breach. Using this publicly available information from the privacy rights clearinghouse, this article describes the breaches grouped and summarized in various ways. Below you will see breakouts of that data, many possibly surprising.

Conclusion:

Based on the data breakouts below, you should be concerned about the security and privacy of your information and the nearly total lack of security organizations (and, yes, the government) have.

What’s shocking about these results is that encryption for databases has been around for a long time, which would mitigate many of these breaches completely or at least to some extent. Yet, it seems few, if any organizations, actually bother to encrypt their data. Thus, when they’re hacked, and it’s clear from publicly available data that they are getting hacked, the hackers get the juicy raw (unencrypted) data.

Although there is little you can do about this remote data when businesses and government fail to protect your information due to outdated computers, computers not updated with security patches, insider threats, susceptibility to phishing attacks, lax security policies, or whatever, you can consider taking steps on your own to protect your local data and data in transit (a few possible ideas below):

(Note: You might need technical help or other support for some of these ideas below. Please see our disclaimer on our Web site.)

  • Encrypt your hard drive
  • Encrypt your emails
    • consider PGP or a third party email service like Protonmail.com
  • Use a strong password (different) for every Web site
    • (use a password manager)
  • Use an up-to-date anti-virus program and keep it updated
  • Use an up-to-date anti-spyware program and keep it updated
  • Avoid email systems that have the ability to run programs from emails or have been used as virus vectors
  • Avoid running as “root” or “Administrator” except in rare, controlled, circumstances
  • Do multiple backups and keep backups off site
  • Use an Ad blocker with your browser (for example Ad Block Plus)
  • Consider using Ghostery or similar to stop trackers
  • Avoid using tracking search engines like Google
    - (Note: Google appeared four times in the data results, all with “zero” records reported compromised.)
  • Get your own domain name and email hosting
  • Other strategies…

Thus, organizations need to be held accountable for data breaches with financial penalties and possibly legal action. Until this day arrives, and the laws catch up to the data breach threats, additionally consider credit watches, freezing your credit, regularly checking your credit report, and taking all the possible steps you feel comfortable with to protect your privacy.

==================================================

Data Breakouts:

Types of Breaches:

1. Unintended disclosure (**DISC**) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
2. Hacking or malware (**HACK**) - Electronic entry by an outside party, malware and spyware.
3. Payment Card Fraud (**CARD**) - Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals.
4. Insider (**INSD**) - Someone with legitimate access intentionally breaches information - such as an employee or contractor.
5. Physical loss (**PHYS**) - Lost, discarded or stolen non-electronic records, such as paper documents
6. Portable device (**PORT**) - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc
7. Stationary device (**STAT**) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.

==================================================

Organization Types:
- Unknown or other (UNKN)
- BSO - Businesses - Other
- BSF - Businesses - Financial and Insurance Services
- BSR - Businesses - Retail/Merchant
- EDU - Educational Institutions
- GOV - Government and Military
- MED - Healthcare - Medical Providers
- NGO - Nonprofit Organizations

Years of Data: Years of Data: 2005-2016 (partial)
========================================

High-level Results:

Of all the data brach types, “HACK” is the highest occurring, with 1,281 separate incidents. The Insider threat also was high with 555 separate incidents.

As stated above, there were 898,590,196 total records exposed

Below is a table showing the type of breach and the number of incidents:

(see “Organization Types” above for to decode the Type below)

TYPE NUMBER

NULL - 46

CARD - 66

UNKN - 149

STAT - 248

PHYS - 542

INSD - 555

DISC - 846

PORT - 1113

HACK - 1281

You might not think that from the numbers of separate incidents above, that not that much data was exposed, but the table below breaks down the number of records exposed per hack type:

Number of total records exposed by hack type:

UNKN — 6,306,078

CARD — 7,203,035

STAT — 11,568,743

DISC — 32,113,235

INSD — 36,268,831

PORT — 172,876,499

HACK — 629,035,293

Data breaches by Entity (government, financial, etc.):

NGO — 107

BSR — 552

BSF — 633

GOV — 722

BSO — 740

EDU — 772

MED — 1274

Note that medical is the highest breach type followed by education. Government is also high with 722 incidents.

Looking at the actual number of records exposed by Entity Type, we have:

NGO — 2,038,766

EDU — 14,790,624

BSO — 21,505,346

MED — 45,403,049

GOV — 178,534,105

BSR — 257,517,157

BSF — 378,801,149

Above, we see that the number of total exposed records was the highest in the business financial area (BSF), followed by businesses retail/merchant. Government brings up the third highest breach count. So, although education and medical had the highest breach counts by entity, the number of total exposed records is by businesses and then by government.

Below, due to space limitations, is very small representation of the organizations involved in these hacks. The list shows only the first 25 characters of the company name. And, since there are so many breaches by company name, we limited the list to only those breaches with 100,000 total records exposed or more. And, even then, there were too many organizations (229) to list them all!

Partial list of organizations with at least 100,000 data hacks: