Over the course of 2018, security firm Risk Based Security reported 6,515 data breaches that exposed more than 5 billion records. Year over year, the total number of breaches slipped by 3.2% and the number of exposed records fell by 35.9%.
The 12 largest breaches alone accounted for 74% of all exposed records. Each of those dozen incidents exposed more than 100 million records.
The United States experienced nearly 35% (2,264) of all breaches, far more than any other country, and also recorded the highest number of exposed records with 2.26 billion (44.4% of the year’s total). The United Kingdom suffered 144 data breaches that exposed 19.6 million records, while Canada posted the third highest number of breaches with 112.
India recorded 82 data breaches and the second-highest number of exposed records with 1.28 billion. China suffered just 12, but the median number of records exposed in those incidents ran to 10 million per breach and the total number of exposed records came to 332.5 million, the third-highest total in the world.
Inga Goddijn, executive vice president at Risk Based Security, said:
It’s been an unusual year for breach activity. We’ve been monitoring breach events for more than a dozen years now and this is the first time we’ve observed a slow start to the year followed by a growing number of disclosures as the months pass. We suspect various factors including the allure of crypto mining had an impact on breach activity early in the year, but disclosures rebounded throughout the summer and into the last quarter.
The security firm also noted that of 5,149 breaches with a confirmed discovery method, only 680 (13.2%) were discovered by the organization responsible for protecting the data. The average number of days between discovery and disclosure rose from 48.6 in 2017 to 49.6 last year. That additional delay surprised the researchers who expected that the new GDPR reporting rules would shorten the time between discovery and public disclosure.
Facebook Inc. (NASDAQ: FB) logged two of 2018’s 10 breaches revealing the most records (117 million in total), although the largest worldwide breach was the exposure of some 1.1 billion records in India in a single incident. Under Armour Inc. (NYSE: UAA) exposed 150 million records of users of its MyFitnessPal app, and hotel and resort operator Marriott International Inc. (NYSE: MAR) discovered a leak of some 383 million loyalty program members’ records that had been occurring since 2014.
Email addresses were exposed in 61% of the breaches, more than any other data type, with passwords a close second at 57%. Social Security numbers were exposed in about 14% of the incidents and credit card numbers were revealed in about 12%.
The number of records exposed did come down about 36% compared to last year and while the number of breaches is still quite high, we did not see a repeat of widespread events like WannaCry and Petya/NotPetya. After year upon year of bad news, we’ll take improvement where it can be found.
The Risk Based Security report offers more details and information on last year’s data breaches. The report also contains a list of the 20 largest data breaches of all time.