The number of U.S. data breach incidents tracked in 2016 hit an all-time record high of 1,093, according to a new report released today by the ITRC & CyberScout
Data breach headline-grabbing attacks, with victims ranging from Wendy’s Co. to the Democratic National Committee, are increasing despite regulatory scrutiny and more aggressive cyber-security spending. Worldwide spending on security-related hardware, software and services rose to $73.7 billion in 2016 from $68.2 billion a year earlier, according to researcher IDC. And that number is expected to approach $90 billion in 2018.
“We are extremely confident that breaches are undiscovered and under-reported, and we don’t know the full scope,” Eva Casey Velasquez, chief executive officer of the Identity Theft Resource Center, said in an interview. “This isn’t the worst-case scenario we are looking at; this is the best-case scenario.”
The leading cause of data breach incidents was hacking/skimming/phishing attacks, accounting for 55.5 percent of the overall number of breaches, an increase of 17.7 percent over 2015 figures. This type of attack also accounted for 72 percent of breached records. Breaches involving accidental email/internet exposure of information were the second most common type of incident at 9.2 percent of the overall number of breaches followed by employee error at 8.7 percent.
Social security numbers were exposed by 52 percent of breaches, an 8.2 percent increase, but only 13 percent involved credit and debit card details — a drop of 7.4 percent over the previous year.
The business sector accounted for 45.2 percent of the overall number of breaches, followed by the healthcare/medical industry (34.5 percent), education (nine percent), government (6.6 percent), and banking and finance (4.8 percent).
“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks,” says Matt Cullina, CEO of CyberScout and vice chair of ITRC’s board of Directors. “With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution.”
Adam Levin, chairman of the security company CyberScout LLC, which sponsored the report, said training employees about data privacy and security is essential. “A lot of companies don’t do it,” he said.
The Identity Theft Resource Center, which has been tracking data breach incidents since 2005, compiles its reports using data listed on state regulators’ web sites, as well as by filing Freedom of Information Act requests with various government agencies. Many data breach incidents still aren’t included in these numbers.