2019 “Worst Year on Record” for Data Breaches

Data breach figures hit a record high with websites taking the top spot for exposed records

2019 is on course to be the “worst year on record” for data breach activity, according to recently released figures.

Risk Based Security’s (RBS) 2019 MidYear QuickView Data Breach Report shows that 3,813 breaches were reported up to June 30, exposing more than 4.1 billion records. Compared to midyear of 2018, the number of reported breaches was up 54 percent and the number of exposed records was up 52 percent.

Crucially, companies’ websites remain a huge cybersecurity blind spot, with the web remaining the number one breach type for number of records exposed, accounting for 79 percent of compromised records. The unauthorized access of systems or services, the use of skimmers and the exposure of sensitive data on websites have been named the top three breach types this year.

Of the breached organizations, the business sector accounted for 67 percent of reported breaches, followed by medical (14 percent), government (12 percent) and education (seven percent).

“The number of breaches is up, and the number of records exposed remains stubbornly high. What is clear is that despite the awareness of the issue among business leaders and the best efforts of defenders, data breaches continue to take place at an alarming rate,” notes the report.

Cost of a breach

This unprecedented level of breach activity comes at a time when the costs associated with a data breach has never been greater – the average total cost is now $3.92 million, with lost business as the biggest contributor.

If a third party caused the data breach, the cost increases by more than $370,000, for an adjusted average total cost of $4.29 million. This is important to note as exploiting third-party vendors is one of the most common methods employed by criminals to gain access to the data collected via a company’s website.

This type of attack method has been most notably deployed by Magecart, the infamous hacker group behind a surge in supply chain attacks on company’s websites; including that of Ticketmaster UK, where digital skimming software was injected onto the site after compromising a chatbot originating from a third-party customer support company. The software then harvests customers’ personal data such as credit card numbers, passwords, addresses and dates of birth.

Other high-profile victims in 2019 include the publisher Forbes, which reportedly had its magazine subscription website infected with digital skimming code via a third party, as well as the Atlanta Hawks online store.

Magecart warning

Such is the threat of Magecart, last month the PCI Security Standards Council issued a joint statement with the Retail and Hospitality Information Security and Analysis Center (ISAC) warning ecommerce companies of the growing threat by the group.

The challenge for organizations is how to leverage the functionality and revenue-generating opportunities of the marketing technologies and other third-party vendors on their website, without making themselves vulnerable to attack.

Traditional solutions are only effective in part; companies need to adopt a holistic approach to help protect them against the surge in attacks on websites. This includes getting a real-time view of their digital data supply chain where they can see all the technologies running on their website, performing a full privacy risk assessment as web pages are loaded and allowing or blocking third-party vendors.

Speak to Ensighten about how to extend your security protection to your website and avoid becoming a website data breach statistic.