It’s the list no one likes to be on.
It’s kind of like being on the “worst dressed list” except that we’re talking about stolen data and, probably, lots of lawsuits.
Welcome, then, to the Top Data Breaches of 2019.
The readings are pretty grim. At a high level, the numbers are staggering. Millions of accounts hacked. Billions of records accessed. Thousands of breaches.
In data coming into the end of the year, Risk Based Security said hackers had accessed 7.9 billion records into the last few months of the year, and they were on track to access 8.5 billion records across more than 5,100 attacks — meaning through the first nine months of the year (the estimate as of this writing), the number of breaches grew by 33 percent.
We can slice and dice the breaches in any number of ways. But perhaps one view that illustrates how vulnerable some companies are in a “smash and grab” is to show how many records were hacked. The fraudsters, after all, feast on data, and data lie within the records. Get enough records together and it becomes easier to cobble together synthetic identities.
As has been documented here, fraudsters always look for the path of least resistance, and taking bits and pieces of disparate information can help them stitch together new personas that go on to drain accounts, take out loans, and even establish entire credit profiles that can exist for years.
The hacks are not confined to industry verticals or to data type. In some cases, it’s not easy to put a dollar amount on the breaches because fines have not accrued, suits may not have been filed, and the true extent of damage is not yet known.
We are making a distinction between data that is exposed (and is vulnerable) versus data that is breached (where data have been accessed and extracted by targeted efforts). In many cases, the bad guys have advertised stolen data for sale on the dark web.
We are also making a distinction between hacks that were announced during the year, such as the gargantuan disclosure by Marriott that hackers accessed 383 million guest records, but the attacks were in 2018.
Size and Scope
To get a sense of size and scope, among the biggest breaches of the year include the one seen at Facebook, as reported near the end of December, and where a database with 267 million user IDs, phone numbers and names was left unsecured — and accessed by hackers. According to reports and as noted in this space, the data reportedly may have been accessed through manipulation of the social media giant’s API.
Zynga, the mobile gaming company, saw another large breach with 218 million records hacked. In a statement in September, the company said “cyber attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers.”
The attacks affected consumers who had played games like “Words with Friends.” Among the data taken were account login information, and as reported by sites such as CNBC, Facebook IDs, too.
High tech — the social media kind — also proved to be a lure for hackers, and where cumulatively 617 million records went on sale on the dark web in February for about $20,000 in bitcoin. Records hacked from video messaging app Dubsmash topped 161 million. The records stolen ranged from email addresses to passwords. Additionally, MyFitnessPal had 151 million records hacked, and MyHeritage had 92 million.
Capital One loomed large this year, as a significant data breach reported in July saw fraudsters access more than 100 million records — and reports said the data was tied to Americans and Canadians who had applied for credit cards over the span of more than a decade and a half — dating back to 2005. Data compromised included email addresses, Social Security numbers and bank information.
Separately, around 11.9 million records were compromised and exposed in a data breach of American Medical Collection Agency — a collector for Quest Diagnostics and UnitedHealth Group. Hackers took data spanning bank accounts, Social Security numbers, credit cards and personal information.
The Costs
Beyond (perhaps immeasurable) hits to reputation, there’s financial impact associated with the breaches. IBM estimated this year in its annual study of that impact, the cost of a data breach has risen by 12 percent over the past 5 years. The breaches now cost $3.92 million on average. Drill down a bit, and the impact of the largest breaches becomes apparent: IBM said breaches of more than 1 million records cost companies about $42 million in losses, and those with at least 50 million records see costs of around $388 million.
Goodbye, then, to 2019, and as 2020 dawns, unfortunately, there’s no reason to expect the battle against the hack attacks is going to get any easier.