Data Breach Reports
Total Page:16
File Type:pdf, Size:1020Kb
November 30, 2019 CONTENTS Information & Background on ITRC ......... 3 Methodology ............................................ 4 ITRC Data Breach Report ......................... 5 ITRC Breach Category Summary .............. 8 ITRC Breach List ...................................... 9 ,QIRUPDWLRQDQG%DFNJURXQGRQ,75& ,QIRUPDWLRQPDQDJHPHQWLVFULWLFDOO\LPSRUWDQWWRDOORIXVDVHPSOR\HHVDQGFRQVXPHUV)RU WKDWUHDVRQWKH,GHQWLW\7KHIW5HVRXUFH&HQWHUKDVEHHQWUDFNLQJVHFXULW\EUHDFKHVVLQFH ORRNLQJIRUSDWWHUQVQHZWUHQGVDQGDQ\LQIRUPDWLRQWKDWPD\EHWWHUKHOSXVWRHGXFDWH FRQVXPHUVDQGEXVLQHVVHVRQWKHQHHGIRUXQGHUVWDQGLQJWKHYDOXHRISURWHFWLQJSHUVRQDO LGHQWLI\LQJLQIRUPDWLRQ :KDWLVDEUHDFK"7KH,75&GHILQHVDGDWDEUHDFKDVDQLQFLGHQWLQZKLFKDQLQGLYLGXDOQDPH SOXVD6RFLDO6HFXULW\QXPEHUGULYHU¶VOLFHQVHQXPEHUPHGLFDOUHFRUGRUILQDQFLDOUHFRUG FUHGLW GHELWFDUGVLQFOXGHG LVSRWHQWLDOO\SXWDWULVNEHFDXVHRIH[SRVXUH7KLVH[SRVXUHFDQRFFXU HLWKHUHOHFWURQLFDOO\RULQSDSHUIRUPDW7KH,75&ZLOODOVRFDSWXUHEUHDFKHVWKDWGRQRWE\WKH QDWXUHRIWKHLQFLGHQWWULJJHUGDWDEUHDFKQRWLILFDWLRQODZV*HQHUDOO\WKHVHEUHDFKHVFRQVLVWRI WKHH[SRVXUHRIXVHUQDPHVHPDLOVDQGSDVVZRUGVZLWKRXWLQYROYLQJVHQVLWLYHSHUVRQDO LGHQWLI\LQJLQIRUPDWLRQ7KHVHEUHDFKLQFLGHQWVZLOOEHLQFOXGHGE\QDPHEXWwithoutWKHWRWDO QXPEHURIUHFRUGVH[SRVHGLQWKHFXPXODWLYHDQQXDOWRWDO 7KHUHDUHFXUUHQWO\WZR,75&EUHDFKUHSRUWVZKLFKDUHXSGDWHGDQGSRVWHGRQOLQHRQDZHHNO\ EDVLV7KH ITRC Breach ReportSUHVHQWVGHWDLOHGLQIRUPDWLRQDERXWGDWDH[SRVXUHHYHQWVDORQJ ZLWKUXQQLQJWRWDOVIRUDVSHFLILF\HDU%UHDFKHVDUHEURNHQGRZQLQWRILYHFDWHJRULHVDVIROORZV EXVLQHVVEDQNLQJFUHGLWILQDQFLDOHGXFDWLRQDO*RYHUQPHQW0LOLWDU\DQGPHGLFDOKHDOWKFDUH7KH ITRC Breach Stats ReportSURYLGHVDVXPPDU\RIWKLVLQIRUPDWLRQE\FDWHJRU\2WKHUPRUH GHWDLOHGUHSRUWVPD\EHJHQHUDWHGRQDTXDUWHUO\EDVLVRUDVGLFWDWHGE\WUHQGV ,WVKRXOGEHQRWHGWKDWGDWDEUHDFKHVDUHQRWDOODOLNH6HFXULW\EUHDFKHVFDQEHEURNHQGRZQ LQWRDQXPEHURIDGGLWLRQDOVXEFDWHJRULHVE\ZKDWKDSSHQHGDQGZKDWLQIRUPDWLRQ GDWD ZDV H[SRVHG:KDWWKH\DOOKDYHLQFRPPRQLVWKH\XVXDOO\FRQWDLQSHUVRQDOLGHQWLI\LQJLQIRUPDWLRQ 3,, LQDIRUPDWHDVLO\UHDGE\WKLHYHVLQRWKHUZRUGVQRWHQFU\SWHG 7KH,75&FXUUHQWO\WUDFNVVHYHQFDWHJRULHVRIGDWDORVVPHWKRGV,QVLGHU7KHIW+DFNLQJ ZKLFK LQFOXGHV6SHDUSKLVKLQJ5DQVRPZDUHDQG6NLPPLQJ 'DWDRQWKH0RYH(PSOR\HHHUURU 1HJOLJHQFH,PSURSHUGLVSRVDO/RVW$FFLGHQWDOZHE,QWHUQHW([SRVXUH3K\VLFDO7KHIWDQG 8QDXWKRUL]HG$FFHVV 3OHDVHQRWHWKDW$FFLGHQWDOHPDLOSUHYLRXVO\LQFOXGHGZLWK$FFLGHQWDO ZHE,QWHUQHW([SRVXUHKDVEHHQUHFDWHJRUL]HGXQGHUWKH(PSOR\HHHUURU1HJOLJHQFH,PSURSHU GLVSRVDO/RVWFDWHJRU\ 6XEFRQWUDFWRU7KLUG3DUW\%$LVLQFOXGHGKHUHEXWLVFRPELQHGZLWKRQH RIWKHDERYH,QWKHVHDVZHOODVVRPHRWKHUEUHDFKHVWKHUHPD\EHPRUHWKDQRQHFDWHJRU\ FKHFNHG 7KH,75&EUHDFKOLVWDOVRWUDFNVW\SHVRILQIRUPDWLRQFRPSURPLVHG x 6RFLDO6HFXULW\QXPEHU x &UHGLW'HELW&DUGQXPEHU x 3URWHFWHG+HDOWK,QIRUPDWLRQ 3+, x '095HFRUGV x )LQDQFLDO$FFRXQWV x (PDLO3DVVZRUG8VHU1DPH x 2WKHU8QGHILQHG7\SHRI5HFRUGV 0HWKRGRORJ\ 7KH,75&EUHDFKOLVWLVDFRPSLODWLRQRIGDWDEUHDFKHVFRQILUPHGE\YDULRXVPHGLDVRXUFHVRU QRWLILFDWLRQOLVWVIURPVWDWHJRYHUQPHQWDODJHQFLHV7KLVOLVWLVXSGDWHGGDLO\DQGSXEOLVKHGHDFK 7XHVGD\ %UHDFKHVRQWKLVOLVWW\SLFDOO\KDYHH[SRVHGLQIRUPDWLRQZKLFKFRXOGSRWHQWLDOO\OHDGWRLGHQWLW\WKHIW LQFOXGLQJ6RFLDO6HFXULW\QXPEHUVILQDQFLDODFFRXQWLQIRUPDWLRQRUPHGLFDOLQIRUPDWLRQ,75& IROORZV86)HGHUDOJXLGHOLQHVDERXWZKDWFRPELQDWLRQRISHUVRQDOLQIRUPDWLRQFRPSULVHDXQLTXH LQGLYLGXDODQGWKHH[SRVXUHRIZKLFKZLOOFRQVWLWXWHDGDWDEUHDFK 5HFRUGV5HSRUWHG 7KLVILHOGKDVEHHQFKDQJHGWRPRUHDFFXUDWHO\UHIOHFWWKHFLUFXPVWDQFHVVXUURXQGLQJWKHQXPEHU RIUHFRUGVH[SRVHG7KHQXPHUDO³´KDVEHHQUHSODFHGZLWK³8QNQRZQ´UHFRJQL]LQJWKHQXPEHU RIUHFRUGVPD\KDYHEHHQUHSRUWHGWRVRPHRWKHUHQWLW\ LHJRYHUQPHQWRUODZHQIRUFHPHQW EXWLV QRWSURYLGHGLQWKHLQIRUPDWLRQDYDLODEOHWRWKH,75& %UHDFKFDWHJRULHV Business7KLVFDWHJRU\HQFRPSDVVHVUHWDLOVHUYLFHVKRVSLWDOLW\DQGWRXULVPSURIHVVLRQDOWUDGH WUDQVSRUWDWLRQXWLOLWLHVSD\PHQWSURFHVVRUVDQGRWKHUHQWLWLHVQRWLQFOXGHGLQWKHRWKHUIRXUVHFWRUV ,WDOVRLQFOXGHVQRQSURILWRUJDQL]DWLRQVLQGXVWU\DVVRFLDWLRQVQRQJRYHUQPHQWVRFLDOVHUYLFH SURYLGHUVDVZHOODVOLIHLQVXUDQFHFRPSDQLHVDQGLQVXUDQFHEURNHUV QRQPHGLFDO Education$Q\SXEOLFRUSULYDWHHGXFDWLRQDOIDFLOLW\IURPSUHVFKRROWKURXJKXQLYHUVLW\OHYHO 7KLVFDWHJRU\GRHVQRWLQFOXGHVFKRODUVKLSSURYLGHUVDIWHUVFKRROHQWLWLHVRUWXWRULQJRUJDQL]DWLRQV Medical/Healthcare: $Q\PHGLFDOFRYHUHGHQWLW\ &( RUEXVLQHVVDVVRFLDWH %$ DVGHILQHG E\+,3$$LQWKHKHDOWKFDUHLQGXVWU\$OVRLQFOXGHVKHDOWKFDUHIDFLOLWLHVDQGRUJDQL]DWLRQVZKLFK PD\EHDWWDFKHGWRVFKRROVDQGXQLYHUVLWLHVDQGmayLQFOXGHSKDUPDFHXWLFDOPDQXIDFWXUHUV ,QVXUDQFHFRPSDQLHVPD\YDU\E\LQGXVWU\±PHGLFDODQGORQJWHUPLQVXUDQFHSURYLGHUVZLOOEH FODVVLILHGDVPHGLFDOKHDOWKFDUH ,QFOXGHGRQKKVJRYOLVW Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Government/Military$Q\FLW\FRXQW\VWDWHQDWLRQDORUPLOLWDU\HQWLW\RUDGHSDUWPHQW ZLWKLQRQHRIWKHVHHQWLWLHV,QWKHHYHQWWKDWDPHGLFDOIDFLOLW\LVDOVRDJRYHUQPHQWRUPLOLWDU\ HQWLW\LWZLOOEHOLVWHGXQGHU*RYHUQPHQW0LOLWDU\(QWLWLHVVXFKDV9HWHUDQ$VVRFLDWLRQ0HGLFDO &HQWHUV 9$0& ZLOOEHLQFOXGHGLQWKLVVHFWRU Banking/Credit/Financial: 7KLVVHFWRULQFOXGHVHQWLWLHVVXFKDVEDQNVFUHGLWXQLRQVFUHGLW FDUGFRPSDQLHVPRUWJDJHDQGORDQEURNHUVILQDQFLDOVHUYLFHVLQYHVWPHQWILUPVDQGWUXVW FRPSDQLHVSD\GD\OHQGHUVDQGSHQVLRQIXQGV VDYLQJVSODQV Wizards of the Coast – Magic: The Gathering Users Exposed Due to Unsecured Database November Data Breaches by Industry In November 2019 there was a total of 63 data breaches that exposed 621,521 sensitive records and 520,634 non-sensitive records. The Business sector experienced the highest number of data breaches while the Medial/Healthcare sector experienced the highest number of sensitive records exposed. # OF SENSITIVE RECORDS # OF NON-SENSITIVE INDUSTRY # OF BREACHES EXPOSED RECORDS EXPOSED Business 26 306,507 520,634 Medical/Healthcare 23 307,844 Unknown Banking/Credit/Financial 8 Unknown Unknown Government/Military 4 4,900 Unknown Education 2 2,270 Unknown MONTHLY TOTALS: 63 621,521 520,634 November Data Breaches by Method Hacking was the most common breach method at 44 percent of the total number of data breaches and 92 percent of the total number of sensitive records exposed. # OF DATA BREACHES PER METHOD PER INDUSTRY Method Banking Business Education Government Medical Totals Hacking/Intrusion (includes Phishing, Ransomware/Malware 2 14 0 2 9 28 and Skimming) Unauthorized Access 5 6 1 0 9 20 Employee Error/Negligence/Improper 1 1 1 2 1 6 Disposal/Lost Accidental Web/Internet Exposure 0 3 0 0 1 4 Physical Theft 0 0 0 0 2 2 Insider Theft 0 1 0 0 1 2 Data on the Move 0 1 0 0 0 1 Unauthorized Access was the second most common breach method and was responsible for 32 percent of the total number of data breaches and four percent of the total number of sensitive records exposed. Accidental Web/Internet Exposure exposed 87 percent of the total number of non-sensitive records exposed in November, while the remaining 13 percent was exposed from Insider Theft. METHOD OF BREACH # OF SENSITIVE RECORDS EXPOSED # OF BREACHES Hacking/Intrusion (includes Phishing, 570,488 28 Ransomware/Malware and Skimming) Unauthorized Access 26,006 20 Insider Theft 9,800 2 Employee Error/Negligence/Improper 8,015 6 Disposal/Lost Physical Theft 7,205 63 Accidental Web/Internet Exposure 7 4 Data on the Move Unknown Unknown Three Year Comparison When comparing data breaches in November – year-over-year – for the past three years (2017-2019), 2018 had the highest number of breaches and the highest number of records exposed. The Business sector reported the highest number of data breaches in 2019 and 2017, while the Medical/Healthcare sector reported the highest number of data breaches in 2018. Hacking was the most common breach method for all three years. INDUSTRY 2019 2018 2017 sensitive sensitive sensitive # of # of # of records records records breaches breaches breaches exposed exposed exposed Business 26 306,507 45 384,108,751 29 601,302 Medical/Healthcare 23 307,844 51 3,065,634 20 154,793 Banking/Credit/Financial 8 0 11 10,125 6 0 Government/Military 4 4,900 7 9,409 7 8,615 Education 2 2,270 3 72,400 2 1,250 Identity Theft Resource Center 2019 Category Summary How is this report produced? What are the rules? See below for details. Report Date: 12/4/2019 Totals for Category: Banking/Credit/Financial # of Breaches: 92 # of Records: 100,545,501 % of Breaches: 6.9% %of Records: 61.4% Totals for Category: Business # of Breaches: 573 # of Records: 18,430,611 % of Breaches: 42.8% %of Records: 11.3% Totals for Category: Educational # of Breaches: 110 # of Records: 2,252,439 % of Breaches: 8.2% %of Records: 1.4% Totals for Category: Government/Military # of Breaches: 79 # of Records: 3,606,114 % of Breaches: 5.9% %of Records: 2.2% Totals for Category: Medical/Healthcare # of Breaches: 484 # of Records: 38,861,090 % of Breaches: 36.2% %of Records: 23.7% Totals for All Categories: # of Breaches: 1338 # of Records: 163,695,755 % of Breaches: 100.0% %of Records: 100.0% 2019 Breaches Identified by the ITRC as of: 12/4/2019 Total Breaches: 1,338 Records Exposed: 163,695,755 The Identity Theft Resource Center breach database is updated daily and published to our website weekly. A US-based breach, as identified by our current process, is considered public when one of these occur: 1) Published by a credible source (sources include Offices of the Attorney General, and established media – TV news, radio, newspapers) 2) A letter notifying