During the first three months of 2018, there were a total of 686 global data breaches that resulted in 1.46 billion records being exposed. In both cases, the numbers were more than 50% lower than the totals reported in the first quarter of 2017, a record-setting quarter on both counts.
The data were reported Tuesday by security firm Risk Based Security. The leading source of exposed records during the first quarter was fraud, which accounted for 87.5% of all exposed records, due primarily to the release of millions Facebook Inc. (NYSE: FB) records to Cambridge Analytica and a massive leak of citizen identification numbers in India.
The United States was the top country by number of data breach incidents with 392 — more than half of the global total. Canada ranked second with 21, the United Kingdom experienced 20 and Australia with 17 breaches in the quarter. No other country had more than seven incidents.
Among the U.S. states, California registered 61 incidents, nearly three times as many as second-ranked New York and third-ranked Texas. The state where the most records were exposed was Maryland, where 150 million records were revealed in nine breaches. California ranked second in records exposed with nearly 107 million.
Risk Based Security assigns each data breach a severity score ranging from 10 (most severe) to 1 (least severe). Here’s the list, along with severity score, number of exposed records and how the breach occurred.
- Facebook: score 10; 87 million user profile details; classified as fraud
- Undisclosed — India: score 10; 1.19 million names and unique identification numbers (Aadhaar numbers); classified as fraud
- Under Armour Inc. (NYSE: UAA): score 9.7; 150 million records of MyFitnessPal app users; classified as hacking
- Orbitz: score 8.5; 880,000 records stolen; classified as hacking
- Undisclosed — Swizerland: score 8.2; 800,000 personally identifiable records stolen; classified as hacking
- Health South-East — Norway: score 8.2; 2.9 million medical records stolen; classified as hacking
- The Sacramento Bee: score 8.0; 19.5 million voter records and 53,000 subscriber names exposed due to misconfigured database; classified as web
- Ontario Political Conservative party: score 7.7; 1 million members and voter information held for ransom; classified as virus
- MBM company (Limogés Jewelry): score 7.5; 1.3 million customer records exposed due to misconfigured database; classified as web
- Phoenix Insurance: score 7.4; 500,000 names and medical and family histories stolen; classified as hacking
According to Risk Based Security, three of the five largest breaches of all time occurred last year, and the largest only missed being included in the 2017 total by about two weeks. Here are the five biggest breaches ever:
- Yahoo: United States; 3.0 billion exposed records
- DU Caller: China; 2.0 billion exposed records
- River City Media: United States; 1.3 billion exposed records
- NetEase Inc. (dba 163.com): China; 1.2 billion exposed records
- Aadhaar database: India; 1.1 million names and unique identification numbers (Aadhaar numbers)
Visit the Risk Based Security website for the complete report and methodolgy.