U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911).
“With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests,” said Eva Velasquez, President and CEO, ITRC. “For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year we have seen a number of states take this step by making data breach notifications public on their websites. The ITRC Data Breach Report 2016 now includes information from more than a dozen state agencies,” Velasquez added.
Since 2005, the ITRC has been identifying data breaches in five industry sectors (see Fig.1 below). In 2016, the business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.2 percent of the overall number of breaches. This was followed by the healthcare/medical industry (377 incidents), representing 34.5 percent of the overall total. The education sector (98) followed at 9.0 percent, the government/military (72) at 6.6 percent and the banking/credit /financial sector (52) at 4.8 percent.
Leading Types of Data Breaches
In 2007, the ITRC began adding categories to identify data breach incidents by the “type of occurrence” (see Fig. 2 below). For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5 percent of the overall number of breaches, which is an increase of 17.7 percent over 2015 figures. Of these, many were a result of CEO spear phishing efforts (also known as business email compromise schemes) in which highly sensitive data, typically information required for state and federal tax filings, was exposed. As early as February, the IRS had already seen a 400 percent surge in this type of activity prompting both consumer and industry alerts addressing this issue.
Our take – the time is long past when small businesses need to know where their data is going. Even SMBs can now afford enterprise grade Data Loss Protection solutions, which will report when your files are being exported, uploaded to cloud and other external sites, and copied to USB devices. Such solutions can alert when staff or infiltrators are attempting to copy data you need to protect and enforce policies to stop these actions.