Introduction:
The data you entrust to third parties like colleges, your credit card processor, or data you have no control over (OPM, IRS, or other “organizations”) has likely been compromised. In fact, there have been shocking data breaches reported in the last ten years. So many breaches that you may no longer really pay attention to the newest breach on the news.
The biggest breaches get the headlines, like the OPM breach that affected over 20 million federal workers. The numbers are staggering. From 2005 through 2016 (partial data), there have been 898,590,196 total records reported breached!
To make matters even worse, more than half (53%) of all breaches reported zero records breached — meaning an “unknown” number of records breached. Therefore, the total breached count is potentially much bigger than the nearly 900 breaches reported above.
These breaches happen in various ways. From hacking, unintended disclosure, fraud, insider threats, and other methods (see “Types of Breaches” below). Organizations affected run the gamut — from retail to government, financial, education, and other types.
The data in this article is from the publicly available information at https://www.privacyrights.org/data-breach. Using this publicly available information from the privacy rights clearinghouse, this article describes the breaches grouped and summarized in various ways. Below you will see breakouts of that data, many possibly surprising.
Conclusion:
Based on the data breakouts below, you should be concerned about the security and privacy of your information and the nearly total lack of security organizations (and, yes, the government) have.
What’s shocking about these results is that encryption for databases has been around for a long time, which would mitigate many of these breaches completely or at least to some extent. Yet, it seems few, if any organizations, actually bother to encrypt their data. Thus, when they’re hacked, and it’s clear from publicly available data that they are getting hacked, the hackers get the juicy raw (unencrypted) data.
Although there is little you can do about this remote data when businesses and government fail to protect your information due to outdated computers, computers not updated with security patches, insider threats, susceptibility to phishing attacks, lax security policies, or whatever, you can consider taking steps on your own to protect your local data and data in transit (a few possible ideas below):
(Note: You might need technical help or other support for some of these ideas below. Please see our disclaimer on our Web site.)
- Encrypt your hard drive
- Encrypt your emails
- consider PGP or a third party email service like Protonmail.com
- Use a strong password (different) for every Web site
- (use a password manager)
- Use an up-to-date anti-virus program and keep it updated
- Use an up-to-date anti-spyware program and keep it updated
- Avoid email systems that have the ability to run programs from emails or have been used as virus vectors
- Avoid running as “root” or “Administrator” except in rare, controlled, circumstances
- Do multiple backups and keep backups off site
- Use an Ad blocker with your browser (for example Ad Block Plus)
- Consider using Ghostery or similar to stop trackers
- Avoid using tracking search engines like Google
– (Note: Google appeared four times in the data results, all with “zero” records reported compromised.) - Get your own domain name and email hosting
- Other strategies…
Thus, organizations need to be held accountable for data breaches with financial penalties and possibly legal action. Until this day arrives, and the laws catch up to the data breach threats, additionally consider credit watches, freezing your credit, regularly checking your credit report, and taking all the possible steps you feel comfortable with to protect your privacy.
==================================================
Data Breakouts:
Types of Breaches:
1. Unintended disclosure (**DISC**) – Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.
2. Hacking or malware (**HACK**) – Electronic entry by an outside party, malware and spyware.
3. Payment Card Fraud (**CARD**) – Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals.
4. Insider (**INSD**) – Someone with legitimate access intentionally breaches information – such as an employee or contractor.
5. Physical loss (**PHYS**) – Lost, discarded or stolen non-electronic records, such as paper documents
6. Portable device (**PORT**) – Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc
7. Stationary device (**STAT**) – Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
==================================================
Organization Types:
– Unknown or other (UNKN)
– BSO – Businesses – Other
– BSF – Businesses – Financial and Insurance Services
– BSR – Businesses – Retail/Merchant
– EDU – Educational Institutions
– GOV – Government and Military
– MED – Healthcare – Medical Providers
– NGO – Nonprofit Organizations
Years of Data: Years of Data: 2005-2016 (partial)
========================================
High-level Results:
Of all the data brach types, “HACK” is the highest occurring, with 1,281 separate incidents. The Insider threat also was high with 555 separate incidents.
As stated above, there were 898,590,196 total records exposed
Below is a table showing the type of breach and the number of incidents:
(see “Organization Types” above for to decode the Type below)
TYPE NUMBER
NULL – 46
CARD – 66
UNKN – 149
STAT – 248
PHYS – 542
INSD – 555
DISC – 846
PORT – 1113
HACK – 1281
You might not think that from the numbers of separate incidents above, that not that much data was exposed, but the table below breaks down the number of records exposed per hack type:
Number of total records exposed by hack type:
UNKN — 6,306,078
CARD — 7,203,035
STAT — 11,568,743
DISC — 32,113,235
INSD — 36,268,831
PORT — 172,876,499
HACK — 629,035,293
Data breaches by Entity (government, financial, etc.):
NGO — 107
BSR — 552
BSF — 633
GOV — 722
BSO — 740
EDU — 772
MED — 1274
Note that medical is the highest breach type followed by education. Government is also high with 722 incidents.
Looking at the actual number of records exposed by Entity Type, we have:
NGO — 2,038,766
EDU — 14,790,624
BSO — 21,505,346
MED — 45,403,049
GOV — 178,534,105
BSR — 257,517,157
BSF — 378,801,149
Above, we see that the number of total exposed records was the highest in the business financial area (BSF), followed by businesses retail/merchant. Government brings up the third highest breach count. So, although education and medical had the highest breach counts by entity, the number of total exposed records is by businesses and then by government.
Below, due to space limitations, is very small representation of the organizations involved in these hacks. The list shows only the first 25 characters of the company name. And, since there are so many breaches by company name, we limited the list to only those breaches with 100,000 total records exposed or more. And, even then, there were too many organizations (229) to list them all!
Partial list of organizations with at least 100,000 data hacks:
Finally, if you think things are getting better over time, 2015 was the second worst year on record for total records compromised with 2009 being the reigning champion.
Records compromised by year (2016, partial):
2009 — 218,903,159
2015 — 160,162,774
2007 — 130,261,978
2014 — 71,138,652
2011 — 66,131,642
2013 — 57,651,691
2005 — 52,821,610
2008 — 49,734,455
2006 — 48,607,177
2012 — 27,777,064
2010 — 12,861,822
2016 — 2,538,172
One more thing…Some organizations have multiple data breaches over multiple years so they don’t seem to be fixing things or learning from their mistakes. The short list below shows the top 10 organizations with at least 1,000 records exposed but with at least two breaches in different years. The actual list is quite long and you would recognize many of the organizations.
Name Number Breaches Total Records Exposed
Name — Number of Breaches — Most Recent Breach
—————————————————————————————
University of South Carolina – 5 – 2013-06-28 00:00:00
Texas A&M University – 4 – 2012-04-14 00:00:00
UC, San Francisco (UCSF) – 4 – 2013-11-25 00:00:00
Ohio State University – 4 – 2010-12-15 00:00:00
Columbia University – 4 – 2012-04-30 00:00:00
AT&T – 3 – 2015-04-08 00:00:00
Eastern Illinois University – 3 – 2009-12-04 00:00:00
Merlin Information Services – 3 – 2007-09-25 00:00:00
Purdue University – 3 – 2011-08-16 00:00:00
University of Florida – 3 – 2013-05-29 00:00:00
(IRS was number 11 in the list above.)
———
The publicly-available data file we used (see URL above) for this blog has other useful or interesting information. For example, there is a field that describes how the data were actually stolen. Another field that documents when the breach became public.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Please read our disclaimer available from our home page