A new report from Risk Based Security has revealed 15.1 billion records were exposed in publicly reported data breaches in 2019 – A 284% increase from 2018 and a 91% increase from 2017. While the number of records exposed in data breaches was substantially higher in 2019, the number of breaches only increased by 1% from 7,035 in 2018 to 7,098 in 2019. However, it should be noted that further incidents may be added to that total in the next few weeks. Risk Based Security has predicted up to 300 more breaches will be added to the 2019 total in the next two months.
93.5% of all exposed records were due to just four incidents, all of which were misconfigured databases that allowed records to be accessed over the internet without the need for any authentication. In total, 13.5 billion records were exposed over the internet across 343 incidents, hacks accounted for 1.5 billion records across 5,184 incidents, and 120 million records were exposed in other types of data breaches. Hacking was therefore the most common cause of exposed records but web exposures involved far more records.
One of the largest breaches of the year affected Zynga. Approximately 25 million unhashed passwords were exposed in the breach. According to Risk Based Security’s analysis, fewer than 1% of those passwords followed basic security requirements and 77% contained less than half of standard password requirements. The most commonly used password was ‘password’, followed by ‘123456789’, ‘1234567’, ‘123456’, and ‘123123123’. ‘words’, ‘12345678’, ‘qwerty’, ‘12345’, and ‘changeme’ rounded out the top 10.
According to the report, sensitive information was exposed in 22.6% of those breaches but was not confirmed as having been stolen. 368 data breaches were attributed to third parties in 2019 and involved 4.7 billion records at an average of 13 million records per breach.
6,002 breaches were due to outsiders, 840 were due to insiders, and the cause of 256 breaches was unknown. Out of the insider breaches, 574 incidents were accidental breaches, 117 were due to malicious insiders, and the cause of 117 insider incidents is not known.
Industries most affected by data breaches were the information sector (614 incidents), healthcare (512 incidents), and finance/insurance (435 incidents). According to the breach portal of the U.S. Department of Health and Human Services’ Office for Civil Rights, 41,335,889 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That represents 12.55% of the population of the United States. The reported healthcare data breaches only include breaches of 500 or more healthcare records. Smaller breaches are not made public.