Hackers stole nearly 500 million personal records in 2018, more than double the number heisted in 2017, a non-profit advocate for identity theft victims said in a new report.
The good news is there were fewer breaches. But the bad news is the attacks cut deeper, as measured by the San Diego, California-based Identity Theft Resource Center’s (ITRC) count. While the number of recorded breaches fell by 23 percent to 1,632 last year, consumer records exposed containing personally identifiable information rose 126 percent to 446,515,334 from the 197,612,748 pilfered in 2017.
Factor in the number of compromised but what the ITRC considers non-sensitive records and an additional 1.7 billion files were exposed in sum, based on the Center’s 2018 End-of-Year Data Breach Report. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers who use the same username/email and password combinations across multiple platforms are vulnerable, as the recent breach of hundreds of millions of emails showed.
Cyberscout, a managed security services provider specializing in identity, privacy and data security services, sponsored the study.
“The increased exposure of sensitive consumer data is serious,” said Eva Velasquez, the ITRC’s president and CEO. “Never has there been more information out there putting consumers in harm’s way. ITRC continues to help victims and consumers by providing guidance on the best ways to navigate the dangers of identity theft to which these exposures give rise.”
Some details on the ITRC’s findings:
- In terms of records exposed, businesses had the highest number at 415.2 million in 571 breaches.
- Government/military was next with 18.2 million records exposed in 99 breaches, followed by healthcare with 9.9 million records exposed in 363 breaches.
- Overall, healthcare had the highest rate of exposure per breach while businesses had the lowest rate.
- Among companies, Marriott’s breach exposed the largest number of records in 2018, impacting 383 million people worldwide. UnityPoint Health was attacked twice affecting 53 million users.
“When it comes to cyber hygiene, email continues to be the Achilles heel for the average consumer,” said Adam Levin, CyberScout founder and chair. “There are many strategies consumers can use to minimize their exposure, but the takeaway from this year’s report is clear: Breaches are the third certainty in life, and constant vigilance is the only solution.”
Colin Bastable, CEO of Lucy Security, a cybersecurity test and training company, in a Security Magazine interview offered the following advice to reduce risk. In Bastable’s words:
- Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are.
- By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk.
- By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blind-sided: you reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised.
- Using email addresses as usernames is to be avoided whenever possible. Organizations don’t do this to help consumers, but to reduce the support burden and lost business from forgotten usernames.
- Convenience is a double-edged sword – if it's easy for you, it's easier to attack you.
- For companies, if you don’t have to hold consumer data – don’t. Train your people relentlessly, and run what-if? scenarios for the 20% of them who will click on a phishing link.