Financial services experienced a 26% decrease in data breaches from 2015, according to the ITRC Data Breach Report 2016, from Scottsdale, Ariz.-based CyberScout and San Diego-based Identity Theft Resource Center.

The statistics show banking, credit and financial institutions made great strides in protecting against data breaches. In general, 2016 saw a 40% increase in data breaches compared to 2015, but breaches affecting the financial services industry declined.

The report cites financial, banking and credit organizations as the segment least affected by hacking, skimming and phishing attacks. Other findings revealed only 3,182 credit card/debit card records exposed in the financial services sector compared to more than 3.6 million credit card/debit card in the healthcare industry; and the financial services segment ranking lowest in breaches cause by employee error/negligence.

Overall data breach stats from the report revealed:

  • An all-time record high number of 1,093 data breaches in 2016, up from 780 in 2015.
  • Fifty-two percent exposed Social Security numbers.
  • Some 72% of exposures came from hacking, skimming or phishing.
  • The majority of records exposed were in the healthcare industry.
  • Only 13% of data breaches exposed credit card or debit card information.


The ITRC identifies data breaches in five industry sectors. In 2016, the business sector again topped the list of data breach incidents, with 494 reported, representing 45.2% of the overall number of breaches. This was followed by the healthcare/medical industry (377), representing 34.5% of the overall total; education (98) at 9%, government/military (72) at 6.6% and the banking/credit /financial sector (52) at 4.8%.

The ITRC defines a data breach as an incident that puts an individual name, plus a Social Security number, driver’s license number, medical record or financial record (credit/ debit cards included), at risk because of exposure.

The ITRC breach list is a compilation of data breaches confirmed by various media sources or notification lists from state governmental agencies. “With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests,” Eva Velasquez, President and CEO, ITRC said. “The ITRC has been aware of the underreporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available,” Velasquez added.

Additionally, most data breach notifications or media reports do not include the type of information exposed. “Going forward, we hope both businesses and government reporting organizations will continue to be more transparent about the details of breached information,” Karen Barney, ITRC Director of Research and Publications, said.

Hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5% of the overall number of breaches, which is an increase of 17.7% over 2015 figures. Of these, many resulted from exposure through CEO spear phishing efforts (also known as business email compromise schemes).

“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks. Business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution,” Matt Cullina, CEO of CyberScout (formerly IDT911) and vice chair of ITRC’s board of directors, said.

The spike in SSN exposures (an increase of 8.2% over 2015) aligns with the surge of CEO spear phishing attacks.

“Hackers and identity thieves continue to evolve. They are very sophisticated, extremely creative and dogged in their pursuit of what is ours,” Adam Levin, chairman and founder of CyberScout, said. “More than half of the breaches reported by the ITRC included the skeleton key to our lives: the Social Security number.” Levin added, credit and debit card numbers are changeable but SSNs are not. “Consumers must become better informed as to the risks inherent in this dangerous digital world.”