U.S. breaches are on a record pace, again, following a record-breaking 2016, according to a report from Providence, R.I.-based CyberScout (formerly IDT911) and San Diego-based Identity Theft Resource Center.
The number of U.S. data breaches tracked through June 30, 2017 hit a half-year high of 791. This represents a significant jump of 29% over 2016 figures during the same period. At this pace, ITRC anticipates the number of breaches could reach 1,500 in 2017, a 37% annual increase over 2016, when breaches reached a record high of 1,093 incidents. The breaches so far exposed 12,389,462 reported records.
The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) potentially puts people at risk of exposure.
The ITRC 2017 Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies.
Some breaches did not have reported statistics yet or remained unconfirmed. The ITRC said 67% of data breach notifications or public notices did not report the number of records affected, a record high that represents an increase of 13% over the first half of 2016 and a major hike over the 10-year average of 43%, according to the ITRC.
“We have made progress in transparency regarding data breach notifications but this only goes so far when we do not have complete information. The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts,” Eva Velasquez, ITRC president/CEO, said.
Broken down by industry category, business tops the list:
Business = 61%
Medical/Healthcare = 24.3%
Educational = 8.7%
Banking/Credit/Financial = 4.2%
Government/Military = 1.7%
“Because breaches have become ubiquitous, it is incumbent upon organizations that suffer a compromise to be candid and provide as much information as possible, so that consumers will have the best opportunity to mitigate their personal consequences,” CyberScout Chairman Adam Levin said.
Hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017. To date, 63% of the overall breaches involved hacking as the primary method of attack, an increase of 5% over 2016 figures. Within the hacking category, phishing was involved in nearly half (47.7%) of these attacks. Ransomware/malware, newly added in 2017, represents 18.5% of hacking attacks.
Matt Cullina, CEO of CyberScout, the report’s sponsor, noted, “Cyberattacks that target businesses are continuing to rise, as hackers aim to steal the most sensitive personal data and demand payoffs in crippling ransomware attacks.”
Following are the biggest Top 11 2017 U.S. data breaches, at the halfway point, based on confirmed, exposed personally identifiable information records.
1. America’s Joblink Alliance: 4,800,000 records
The information exposed included the names, Social Security numbers and birthdates of job seekers in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. According to the Idaho Department of Labor, the breach compromised as many as 4.8 million accounts nationwide. On February 20, according to AJL, a hacker created a new account, then exploited a vulnerability to access other job seekers’ information. America’s Job Link Alliance – Technical Support said in a statement that it first noticed unusual activity on March 12, and confirmed the breach on March 21.
2. Schoolzilla: 1.3 Million Records
A California student data warehouse platform, Schoolzilla, first acknowledged the breach on April 12 in a message on its website, which informed customers: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.” The exposed information included the names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district and more than a million Social Security numbers of other individuals.
3. Washington State University – Social & Economic Sciences: One Million Records
The university learned about the theft of a locked safe containing a hard drive. Not all of the information on the drive was encrypted and the school determined the hard drive contained some personal information, including names and addresses.
4. HealthNow Networks: 918,000 Records
Patients who supplied sensitive information to HealthNow Networks, a Boca Raton, Fla.-based telemarketing organization providing medical supplies to seniors, had personal information exposed online for many months. The database contained a range of information including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions.
5. Med Center Health/Commonwealth Health Corp.: 697,000 Records?
The FBI continues its investigation of a breach affected PII of 160,000 patients serviced at some Med Center Health affiliates between 2011 and 2014. The data, exposed perhaps by a former employee, included billing information such as name, address, Social Security number, insurance information, and procedure codes. Whether the incident affected 697,800 individuals as listed or only 160,000 individuals, as the Med Center Health spokeswoman stated, the breach still ranks as one of the largest so far in 2017.
6. Alliance Direct Lending Corp.: 500,000 Records
Researchers discovered what appears to be customer-purchase information, including full names, addresses, FICO credit scores, vehicle information and the last four digits of Social Security numbers. Additionally, several audio recordings leaked contained conversations between the customers and lenders, both in Spanish and English. The “consent calls” included the customers’ names, dates of birth, Social Security numbers and phone numbers.
7. Airway Oxygen, Inc.: 500,000 Records
On the evening of April 18, 2017, unidentified criminals gained access to the technical infrastructure and installed ransomware in order to deny Purity Cylinder and Airway Oxygen, two affiliated companies, access to their own data. The types of protected health information involved in the breach included some or all customer/end users and payment sources data including full name, home address, birth date, telephone number, diagnosis, the type of service provided, and health insurance policy numbers.
8. Arby’s: 355,000 Records
According to cybersecurity expert Brian Krebs, sources at nearly a half-dozen banks and credit unions independently inquired in February about a data breach at Arby’s, which told KrebsOnSecurity it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide.
9. Urology Austin: 279,663 Records
On Jan. 22, 2017, Urology Austin was the victim of a ransomware attack that encrypted the data stored on its servers. The investigation indicated that personal information may have been impacted by the ransomware, including names, addresses, birthdates, Social Security numbers and medical information.
10. CoPilot Provider Support Services: 220,000 Records
The New York-based firm announced unauthorized access of one of its databases used by health care professionals and notified patients. Although CoPilot did not have evidence to suggest that any patient information was distributed or misused for purposes of identity theft or to cause financial harm, CoPilot notified patients out of caution.
11. IRS Data Retrieval Tool: 100,000 Records
The Internal Revenue Service Commissioner reported a breach of up to 100,000 taxpayers using an online tool to apply for federal student aid.