Data leaks have become a key topic across the world in recent years, with cybersecurity risks now threatening organizations across a wide range of sectors.
Big name companies have fallen victim to data leaks in recent years – and unfortunately, with increasingly large numbers of organizations relying on technology and the Internet to store highly confidential and valuable information, the risk and scale of targeted data attacks grows every year.
As a company dedicated to helping protect our customers via secure file sharing, we have conducted research into data breach incidents affecting US residents. This includes looking into the different sectors targeted, types of breaches, and long-term trends. We also talked to cybersecurity experts to get insights into the problems businesses are facing and what we can expect to see in 2018 and beyond.
Using Privacy Rights Clearinghouse, which tracks all the reported data breaches affecting US citizens, we were able to break down the numbers of which industries proved the most vulnerable to attack, and which types of data breaches were demonstrated to have caused the most damage. Figures from the 2017 Cost of Data Breach Study by the Ponemon Institute, in partnership with IBM Security, allowed us to estimate the average cost each industry suffered from security breaches. We visualized this data to show where the security gaps exist, and hopefully, inform businesses in all industries which security measures to improve in 2018.
Drill into Data Breaches by Industry:
Our findings show that the healthcare industry was far and above the most breached industry in 2017 with 328 reported breaches; technology was the second most vulnerable industry with 48 in total. Hacking or malware attacks represented the highest number of security breaches to organizations with 319 reported instances, followed by 150 from unintended disclosure and 64 from physical loss.
Businesses do not always disclose exact figures of either the scale of a breach or the cost incurred as a result. However, the data available in the Ponemon report, which surveyed 419 businesses, concluded an average total cost of $3.62 million per breach last year. At this approximation, industries that suffered breaches in 2017 – and in the future – could face as much as $1.2 billion in costs, as the healthcare industry was estimated to have incurred last year.
Several factors impact the overall cost of a breach, including the size of the breach, number of data points, and what these data points represent to the company financially. Again, these figures represent only the attacks that were reported to the public, and do not take into account the subsequent effect of negative PR, discovery and response to a breach, nor investment for future prevention – so it’s likely that the actual figures are even higher.
These staggering numbers illustrate just how financially damaging just one breach of information could be to an organization.
Healthcare Data Breaches
# of breaches in 2017: 328
Total # of records compromised: 5,036,920
Avg. # of reported records compromised per breach: 15,356
Largest industry breach in 2017: Commonwealth Health Organization, KY – Physical breach – 697,800 reported records compromised
Cybersecurity experts agreed that this may come down to a combination of the value in the type of data contained within medical records, as well as the structural weaknesses typical to medical offices:With nearly seven times as many reported instances of data breaches than the second most breached industry on our list, healthcare proved easily the most vulnerable sector targeted in 2017. So what is it about the healthcare industry that left it so open to attack?
“The types of data that can be collected in a medical industry breach are generally more valuable than what is collected in other industries,” explains Will Quick, Attorney at Brooks Pierce:
“This is largely because of the plethora of data that is contained in medical records. Personal contact information, medical history, billing and payment information, Social Security numbers: this type of information can be a goldmine for committing identity theft.”
A founding member of CodeDefenders, Pieter VanIperen underlines just how vulnerable the medical industry is, despite the high worth of the information it collects and collates:
“Most hospitals and doctor’s offices, even large ones, are run like a small to medium business. Most have small IT budgets and often few IT/computer staff. This generally translates into very poor security practices despite best efforts that are normally restricted by resources.”
These figures highlight how an industry crucial to the running of any civilized society can still be extremely vulnerable to cybersecurity risks.
Technology Data Breaches
# of breaches in 2017: 48
Total # of records compromised: 1,752,323,557
Avg. # of reported records compromised per breach: 36,506,741
Largest industry breach in 2017: River City Media, OR – Unintended Disclosure – 1,370,000,000 reported records compromised
In all, estimates show that over 1.75 billion records may have been exposed due to hacking, malware, and unintended disclosure in 2017 as a result of vulnerabilities within the tech sphere. Despite 75% of all data breaches being attributed to hacking/malware, the largest-scale tech industry attack reported was a result of unintended disclosure, and is estimated to have compromised 1.37 billion records all on its own.Although the tech industry saw significantly fewer reported breaches in 2017 than the healthcare sector, this smaller total of successful cyberattacks correlated to dramatically higher numbers of total records compromised – the highest of any industry by a lot, in fact.
The far reach of these tech industry breaches should come as no surprise given the ever-more digital world we live in. People are more freely handing over their information to websites and apps.
Tech companies, some of which have access to everything from profile information to the personal data we give to social media accounts, to purchase information, credit card details, email accounts and more, can look like a mother lode of personal information valuable to cyberthieves.
So, although one may expect companies within the tech sphere to prevent against such issues, the sheer value and breadth of this information make the whole sector a target for cybercriminals.
“What many fail to consider,” Quick says, “is that even the most well-known brands may have security flaws in the systems they use to gather personal data, leaving their information at risk.”
Retail Data Breaches
# of breaches in 2017: 40
Total # of records compromised: 4,721,736
Avg. # of reported records compromised per breach: 118,043
Largest industry breach in 2017: Spiral Toys, CA – Hack – 2,000,000 reported records compromised | Tarte Cosmetics, NY – Unintended Disclosure – 2,000,000 reported records compromised
The type of data typically compromised in retail industry breaches tends to include details like credit card numbers and personal information, such as names and addresses, which can then be used for fraudulent purposes. In contrast to the more detailed types of personal information that may be harvested from healthcare or tech industry breaches, says Quick, “bank accounts and credit cards can usually only be utilized once or twice before the card or account is shut down the by the user who recognizes fraudulent activity.”Given the retail industry’s widespread reliance on electronic point of sale systems and customer management databases, it’s no surprise that hacking or malware made up the vast majority of threats in this sector: 88% of the 40 reported breaches within the retail industry fell within this category of breach in 2017.
A lack of resources available to smaller retailers may be a factor in the industry-wide vulnerability. This combination of weak cybersecurity, when paired with only moderately valuable data potential to steal, makes the retail industry a soft target to cyberthieves – but a target nonetheless.
Back to top
Finance Data Breaches
# of breaches in 2017: 40
Total # of records compromised: 146,020,981
Avg. # of reported records compromised per breach: 36,506,525
Largest industry breach in 2017: Equifax, GA – Hack – 145,500,000 reported records compromised
The largest factor in skewing this average was the 2017 Equifax hack, where 145.5 million records of highly sensitive information such as names, addresses, birthdates, social security numbers, and credit card information were compromised. It has been called one of the worst hacks in history for Americans.The financial sector may tie with retail for third place in terms of number of successful data breaches reported in 2017, but it comes second only to tech with regards to the total number of records affected. This makes the financial industry the leader in most records affected per breach on average, where each financial sector data breach represented an average of over 36 million records compromised. By comparison, the second-highest industry average number of records breached per attack was around 32.9 million less than this.
That said, the learnings from the Equifax breach may set us up for a safer future, says VanIperen:
“Prior to Equifax, SSN along with DOB and other personal details were probably the most valuable types of data that could be stolen…however, in response to Equifax, many people have added monitoring, alerts or freezes to ensure new accounts aren’t opened.”
While these details can still be used to gain access to other accounts and represent highly valuable data for cyberthieves, the very public response is that many are taking their personal data security more seriously.
Government Data Breaches
# of breaches in 2017: 17
Total # of records compromised: 6,322,739
Avg. # of reported records compromised per breach: 371,926
Largest industry breach in 2017: Kansas Department of Commerce, KS – Hack – 5,500,000 reported records compromised
The largest individual breach reported in 2017 came from a successful hack on the Kansas Department of Commerce, where as many as 5.5 million records in the form of social security information may have been compromised. This breach is estimated to have affected people in as many as ten states across the US.Government institutions faced as many data breaches through hacking/malware as through unintended disclosure – the first and second most common types of breaches respectively in 2017.
Government organizations are targeted for a wide array of reasons, with breaches ranging from personal to political, and including both internal and external sources. For example, interns leak documents to the press seeking to expose a party member; ex-spouses leak personal information to damage careers; foreign entities hack databases for espionage purposes; private email servers expose confidential records to potential theft. The list goes on and on in an often hostile political climate.
As varied as the types of breaches can be, so too can be the information compromised: from information on US citizens including where we live and work, voting information, social security details, tax history, etc; to information on the government entities themselves, potentially exposing institutions to malicious attacks from cybercriminals.
Education Data Breaches
# of breaches in 2017: 16
Total # of records compromised: 7,580,302
Avg. # of reported records compromised per breach: 473,769
Largest industry breach in 2017: The Center for Election Systems at Kennesaw State University, GA – Unknown – 7,500,000 reported records compromised
The single largest breach whose numbers were reported came from the Center for Election Systems at Kennesaw State University, which saw 7.5 million records compromised –about 99% of all the records reportedly affected within the education sphere in 2017. This was the only breach within this sector whose cause was not reported and was therefore listed here as unknown.Half of all breaches within the education industry in 2017 came from unintended disclosure. However, either due to under-reporting of actual records compromised or significant differences in the range in scale of breaches within this sector, these breaches made up only a very small proportion of total records affected.
The unknown nature of this breach caused substantial controversy in the summer due to the subject matter of the data breached being election data. The university oversaw the state’s voting system and provided logistical support, but after a lawsuit alleging its system might have been susceptible to hacking, university officials then destroyed the server containing all the election data. The lawsuit alleging that Georgia officials ignored warnings on the system’s vulnerability, and to determine whether the destruction of this voting data was an act of incompetence or an attempted cover-up, is ongoing.
Food Data Breaches
# of breaches in 2017: 11
Total # of records compromised: 60,000
Avg. # of reported records compromised per breach: 5,455
Largest industry breach in 2017: Pizza Hut, TX – Hack – 60,000 reported records compromised
The 60,000 records compromised in the Pizza Hut hack were reported to include customer names, billing ZIP codes, delivery addresses, email addresses, and credit card information. The data was obtained through a breach in the company’s website and mobile app. It lasted only 28 hours in total – proving just how much damage can be done in even a very short time.Data from the food industry is a clear example of underreporting. Although 11 breaches in total were reported in 2017, Pizza Hut was the only business within the food industry that reported the number of records affected following a hack. This skewed data leaves an inconclusive view of the food industry. Such a lack of transparency is commonplace with organizations choosing not to disclose either the number of people affected, or the cost impacts to them, some of which may not be known until some time after.
Hospitality Data Breaches
# of breaches in 2017: 11
Total # of records compromised: 950,000
Avg. # of reported records compromised per breach: 86,364
Largest industry breach in 2017: Goldenvoice/Coachella Music Festival, CA – Hack – 950,000 reported records compromised
One reason why a business chooses not to disclose the details of a hack publicly involves the contingency plan in place to deal with a breach. Goldenvoice/Coachella Music Festival’s response, for example, was to inform all potentially affected festival goers of the breach – which may have affected information like customers’ full names, email addresses, and mailing addresses, as well as birth date, phone number, and other optional information users may have provided upon purchasing their festival wristbands. The organization offered them identity protection services for 12 months, free of charge. These services are another example of a cost a business might incur as a result of a data breach in order to protect their reputation with the public.Just like the food industry, the hospitality sector has a clear lack of reporting. Though all of the 11 successful breaches were committed through hacking or malware, only one 2017 breach in this category – the hack of Goldenvoice/Coachella Music Festival – reported the number of records estimated to have been compromised. This skews both the average as well as the overall picture of how vulnerable this industry may be.
Home and Leisure Data Breaches
# of breaches in 2017: 6
Total # of records compromised: 0*
Avg. # of reported records compromised per breach: 0*
Largest industry breach in 2017: N/A*
None of the organizations within the home and leisure category publicly disclosed exact information relating to the size of the breaches affecting them, nor the financial ramifications as a result.Businesses in the home and leisure category represent the real estate industry and leisure service providers of all kinds. Consider providers that let you sign up online, such as gym memberships, city hockey team, or even just a yoga class. This personal information is transmitted over the web with just a click of a button.
Like many industries, home and leisure businesses are targeted because of the amount of personal information they have on record. Realtors can hold anything from transaction details to personal information relating to agents and associates working on their behalf or across the US.
On whether the Internet has been an enabler in the propensity of data breaches, Paul Moreno, cybersecurity expert and Bugcrowd advisor says “Yes, with social media accounts even your grandpa has, it’s become more natural to overshare details. More so it’s easier to share information that could be used to aid an attack on you.”
Non-profit Data Breaches
# of breaches in 2017: 6
Total # of records compromised: 2
Avg. # of reported records compromised per breach: 0*
Largest industry breach in 2017: National Safety Council, IL – Hack – 2 reported records compromised
Non-profit organizations, charities especially, are renowned for stretching low budgets to direct as many resources as possible toward their worthy causes. This means that investment in security protocols may not be a top priority. Tracy Reed of Copilotco also explains how such limitations in resources can negatively affect an organization’s ability to protect themselves:Only the National Safety Council disclosed the number of people affected by data breaches in 2017, with just two records compromised. According to the correspondence sent to the individuals affected, a genuine-looking approach for personal information was made. This led to two e-mail attachments being sent with their W2 form which included their social security details and name and address. It was later discovered that this was actually a malicious phishing attempt.
“Security people are in demand and not getting any less expensive,” he says, citing that organizations are “too reticent to invest in cyber security in general and that includes people.”
In the case of non-profit organizations, this hesitancy could be more detrimental with the information they publicly disclose and the impact it can have on their activities to help and support the general public.
What’s next for cybersecurity?
Although the number of data breaches in the US has been in fluctuation over the past decade, the more concerning trend we’re seeing is the increasing severity of each data breach.
“The biggest challenge for businesses currently is the scale of breaches. Hackers have become much more savvy when it comes to finding weakness in systems and then mining that weakness to escalate and steal millions of records,” explains VanIperen.
From the rising number of records compromised to the types of records affected, it’s clear that the importance of business security cannot be understated.
“The last year has been the worst in history for large-scale data breaches…the impacts from which may take years if not decades to be fully dealt with. The scale and frequency of these intrusions over the last year make it apparent that the majority of companies are not prepared for the cyber risks present in this day and age.” -Charlie Porter, Farmers Insurance
As for who currently has the upper hand, the industries at risk or the bad guys: the answer seems to indicate a stalemate. Moreno believes that “this will forever be a game of Spy vs Spy,” as for every vulnerability or attack vector closed, another one opens up.
VanIperen agrees, noting: “Thieves only need one point of failure to exploit. It’s similar to a lot of law enforcement and intelligence work. You don’t hear about the millions of attacks that are prevented or stopped, but you do hear about the one that got through.”
“A hacker has to be right once; a cybersecurity team has to be right every single time.” -Pieter VanIperen, CodeDefenders
2018 Cybersecurity Predictions
“I think that data breaches will continue to be the new normal with 2018 potentially having more than in 2017. There are no indications that hacking is on the decline,” says Porter.
As to what types of attacks we can expect to see increase, VanIperen believes that “phishing is going to skyrocket as an attack vector”. There have been multiple researchers who have been poking at email protocols and email clients’ weakness in interpreting them. There are also now ways to forge emails without showing any evidence of forgery.
“I think we are at the height of hacking as a criminal business, and we are seeing cyber security slowly shifting left and become a part of development cycles and business practices. Until it is baked in, hackers will continue to have wins and some will be big,” VanIperen says.
The situation is not entirely gloomy, however, as Quick highlights how data from the Cost of Data Breach Study indicates that the average cost of a data breach may decrease as more companies prepare for them.
So how are these industries toughening themselves up? What lessons can other companies, big or small, learn from this?
Across the board, experts agree that people seem to be the weakest link, and companies must learn to treat data security as a shared responsibility that is part of everyone’s duties, not just one belonging to the IT staff.
“Businesses, particularly small businesses, should not overlook the importance of educating their people about best practices in data security.” -Will Quick, Brooks Pierce
Porter suggests that companies implement policies such as password security measures, multi-factor authentication, social engineering training and recognition, anti-phishing education, and anti-virus and encryption protections.
Yet as preparation improves at one end of the spectrum, at the other, so too does the complexity of attacks.
As for how rigorously organizations should be protecting themselves, VanIperen suggests:
“Think of it this way. If you were in a war zone, how often would you make sure your bulletproof vest was on and covering your heart?”