Everything You Ever Wanted to Know about Data Breaches in the U.S.
To understand breaches, it helps to identify and follow them, including how they are reported, misreported, and underreported. Here is an analysis of American data breaches for the first quarter of 2018, with many charts.
Q1 2018 statistics: 526 data breaches, Over 181,473,923 affected, with 169,500,000 from the 2 largest breaches
Reporting rules vary from state to state, and how states publicly report breaches varies greatly. But at least all states now have data breach notification laws, although Alabama and South Dakota only signed theirs into law in the past month, and South Dakota’s does not go into effect until July 1, 2018. There are a variety of news sources and governmental sites to learn about recent data breaches, but they each have their own weaknesses and inconsistencies. For instance, one place may describe a breach as affecting “a limited number of people” where somewhere else may specify a number around 66,000.
While all states can help you with seeking compensation for your role as victim in a data breach, many (38) do not publish the information at all. It isn’t like product recalls where there’s an official list where anyone can look at to see if they’ve been affected, although some states do a decent job, especially compared to the federal government. I’m looking forward to seeing if GDPR causes the EU (plus UK) to publish a detailed data breach list.
Our list tracks 526 incidents (multiple events for the same company were combined, as if they were one group incident) for Q1 2018 from 12 state sites, 1 federal site and SC Magazine, often in combining the details from each to get a more complete picture. 471 of these have specific counts of those affected, adding up to 181,473,923 (keep in mind that 169,500,000 are just the biggest 2 breaches, and that another 2 large breaches have no count to numerically include. That’s 55.7% of all Americans (if we assumed people were not part of multiple breaches) and divides out to 385,295 per breach with a number.
State websites vary in the details they display, including how current their reporting is (this ranged from “current” to “2 months old”, but the outlier that was 5 months old updated theirs upon my alert). There was only one federal agency that lists data breaches. Health & Human Services reports on all healthcare related breaches affecting 500 or more people that they are alerted to (per section 13402(e)(4) of the HITECH Act), although they do not seek them out. I reached out to the FDIC using a Freedom of Information Act (FOIA) request to see if they had anything on banking or any other BFSI subsector, but they replied, “The information you requested isn’t publicly available … FDIC Office of Communications.” Here are some from state sites affecting over 500 people that are not on the federal https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf site (I just sent them an email – hopefully they’ll update their site):
- Clinical Pathology Laboratories Southeast Inc.: 42,720
- Heywood Hospital’s: 1,580 from Massachusetts
- Cohen Berger Klepper Romano Mds PC: 42,000
- Mercy Health Love County Hospital & Clinic: 14,229
- REM Indiana Inc: 7,520
- Hudson River Health Care Inc: 1,502
- GHG Greyhealth Group LLC: 683
12 states (California, Indiana, Iowa, Maine, Maryland, Massachusetts, Montana, New Hampshire, New Jersey, Oregon, Vermont and Washington) list individual breaches, but the listing method and level of detail is completely different for each state. After picking a state at random not on this list and asking for their breach list per the Freedom of Information Law (FOIL), the state provided a 1.5GB PDF attachment containing many years of records, apparently in random order and with nothing newer than 9 months old, free of charge.
What varied state to state between website data? Some only give a start date for the breach instead of a range, although the only date Massachusetts gives is when the breach was made public. Massachusetts, however, has the highest monthly average of reported incidents (110) vs. Iowa with the least (3). Only half of the states give you the What Happened / What Information Was Involved (WH/WIWI) details common to most public breach notices. Only Indiana and the federal HHS tell you how many people were involved nationwide (unless specified in WH/WIWI), while only half the states tell you how many were affected in your state. 5 states fall 1 or 2 months behind on reporting data breaches. Also, sometimes WIWI will get filled with unhelpful details, like that the exposed information consisted of “data elements 1-6”.
For a breach to be considered Q1 2018, I am looking at the “made public” date, as will be demonstrated with an example. The Rosewood Hotel breach involved transactions made between May 29, 2016 and January 11, 2017 which were reported by 3rd party processor Sabre Hospitality Solutions in late December 2017, counts as Q1 2018 because that’s when Rosewood went public, less than a month after they found out. Rosewood is also a good example of the number affected not being known nationally, although some state exposure counts are public knowledge: 41 (Indiana), 8 (Maine), 5 (New Hampshire), 114 (Maryland), 158 (Massachusetts).
The chart below shows the number of breaches listed per state that lists breaches. Keep in mind that the higher numbers may represent better reporting, not greater risk, and that not all breaches are of equal value. In fact, some states are specifically missing breaches that undoubtedly affected all states. However, there are still plenty of breaches that would have been concentrated in just one states or one region of the country.
Which were the worst data breaches during the first quarter of 2018 in the U.S.? Here are your “champions”:
Under Armour’s giant 150M breach was skewing the graph too much, so now you get to see almost everyone in the 100K+ club. I say “almost” because 2 offenders never gave numbers. Applebee’s never gave a breach count but has the potential to go over 100K, as it involves POS malware at over 150 restaurants during November 23, 2017 through January 2, 2018 (actual dates varied per restaurant, and some payment methods prevented access). Bongo International/FedEx had an unsecured AWS S3 bucket exposure reported on February 16, 2018, which can easily become gigantic numbers; exposed data included drivers licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military ID cards, and credit/debit cards. Also, Saks Fifth Avenue and Lord & Taylor had a breach of nearly 5 million credit and debit cards, but it was announced on April 1, 2018, just outside of the first quarter of 2018, so that will not be discussed here. But let’s discuss each of the above large Q1 2018 breaches of known size, briefly:
- Under Armour: MyFitnessPal.com was hacked, exposing 150M usernames, email addresses, and hashed passwords, but no payment info.
- Sacramento Bee: Ransomware hit the newspaper, exposing 19.5M voter records (name, date of birth, phone, political affiliation)
- Equifax update: Remember last year’s Equifax breach? Well, those numbers were revised upwards by 2.4M (new total: around 148M), but these only expose names and partial driver’s license numbers.
- Deli Management, Inc. d/b/a Jason’s Deli, Inc.: POS malware at many different restaurant names under one management company exposed names, credit/debit cards, expiries, CVVs, and service codes for ~2M patrons.
- MBM Company (a Walmart jewelry partner): An unsecured AWS S3 bucket online exposed 1.3M records of customers’ names, addresses, ZIP codes, phones, emails, IP addresses, plaintext passwords, encrypted credit card numbers, and payment details for purchases made between 2000 and early 2018 (yes – 18 years!). Think anyone saw these?
- Orbitz: While details regarding the means of access are sketchy, it involved purchases made in early 2016 which were exposed during most of 2016 and 2017. Perhaps a 3rd party or insider for these 880K records of full name, payment card data, DOB, phone, email, address, and gender?
- FastHealth Corporation: The state of Indiana reports the federal count at 657,529 (8,420 in Indiana), which is much larger than others are saying, for a breach that began on August 14, 2017 and was made public on February 27, 2018. HHS is reporting this as a 1,345-person FastHealth breach that is now including other providers. A big typo maybe?
- National Stores operates over 300 clothing stores, and POS malware affected 609,064 payers, exposing names, and credit/debit cards (along with the expiries and CVV’s).
- Florida Virtual School: It wasn’t just Leon County’s 50K, but 386K across Florida’s schools. Discovered on February 12, 2018 and made public on March 15, 2018, this exposed student records including names, DOB, school account usernames and passwords, physical school ID, parents’ names and emails, demographic data (including ethnicity), medical data (including vaccinations), Exceptional Student Education status (for gifted and/or disabled students), and academic program participation.
- Oklahoma State University Center for Health Science: Discovered in November of 2017 and made public on January 5, 2018, this exposed billing records of 279,865 patients, after their network server got hacked.
- Peter’s Ambulatory Surgery Center d/b/a St. Peter’s Surgery & Endoscopy Center: Unauthorized access of 134,512 records including name, DOB, service dates, medical codes, SSN. The breach was made public on February 28, 2018.
BFSI (financial services) unsurprisingly is the most frequent industry exposed at 34%, with health coming in second at 23%. Retail (which includes hotels) is third at 15%. The remaining much-thinner slices (starting at 8%) are Government, Professional Services, Education and Tech, in that order. The average breach size by industry (from breaches where the breach size is known), however, tells a much different story, mainly because the largest breach in each category tips the averages. The totals per industry (and average size per industry, where sizes are known), of course, are more heavily weighted based on single large exposures. The average retail breach size affected 2,220,442, heavily influenced by Under Amour’s 150M person breach. The median retail breach size is a much less scary number: 25 people at Abington Bank. Next, the average Professional breach affected 559,291 (influenced by the Sacramento Bee’s 19.5M). The rest are all under 25,000: 23,048 for BFSI, 19,277 for Technology, 13,124 for Education, 12,411 for Health and 11198 for Government.
Phishing was the most popular means of access, and one of the easiest to prevent, through improved email security and/or better employee training. Malware (including ransomware) can be minimized through better security software and processes. Theft risks can be mitigated by password-protecting devices. And email and device password guessability can be minimized by having more complicated password requirements, changing passwords, NOT POSTING PASSWORDS PUBLICLY (sticky notes, email, Dropbox, Trello, Slack, etc.). Let’s proceed to the kinds of data at risk (breaches can expose multiple types; also, many incidents did not specify which types were exposed). Many of the incidents are listed as “electronic”, “unauthorized access” or “paper”, which are less than definitive — the graph above excludes these vague explanations which unfortunately means it is hard to identify “hacking” as a means of access. One of the ransomwares involved cryptomining. Phishing does not include “hacked email” or more vague email access. Theft included laptops, thumb drives, hard drives and backup tapes. A few incidents made reference to skimmers or data scraping as part of the means of access. Also, there was one where a change in garbage service meant that the to-be-shredded paper was instead just thrown out.
Not all breaches publicized what kind of data was exposed, and many breaches exposed multiple data types. On the dark web, personal information is valuable for identity theft, although there’s nothing like going straight for the money by using a credit/debit card or using a bank account. Most of the breaches that involved W2’s happened in February (when the form is usually mailed out) – all but one of the few that weren’t were exposed within a few days of February.
If this has interested you in learning more about Qualitest and how we can help you with cyber testing, please click here.