1.4 billion data records compromised in 2016 - what will 2017 bring?
1.4 billion data records compromised in 2016 - what will 2017 bring?

Gemalto has released the findings of its 2016 Breach Level Index revealing that 1,792 publicly disclosed data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86 percent compared to 2015.

Identity theft was the leading type of data breach in 2016, accounting for 59 percent of all data breaches. In addition, 52 percent of the data breaches in 2016 did not disclose the number of compromised records at the time they were reported.

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used and whether the data was encrypted.

Gemalto assigned a severity score to each breach in the Index, ranging from one to 10, with one meaning the breach had a small impact on the victims and 10 indicating a breach with significant ramifications.

According to the Breach Level Index, more than seven billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. Breaking it down that is over 3 million records compromised every day or roughly 44 records every second.

Last year, the attack on Adult Friend Finder exposed 400 million records and scored a 10 on the Breach Level Index. Other notable breaches in 2016 included Fling (BLI score: 9.8), Philippines' Commission on Elections (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6).

In fact, the top 10 breaches in terms of severity accounted for over half of all compromised records. In 2016, Yahoo! reported two major data breaches involving 1.5 billion user accounts, but are not accounted for in the BLI's 2016 numbers since they occurred in 2013 and 2014.

“The Breach Level Index highlights four major cyber-criminal trends over the past year,” said Jason Hart, vice president and chief technology officer for Data Protection at Gemalto. “Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”

Data breaches by type

In 2016, identity theft was the leading type of data breach, accounting for 59 percent of all data breaches, up by five percent from 2015. The second most prevalent type of breach in 2016 is account access based breaches. While the incidence of this type of data breach decreased by three percent, it made up 54  percent of all breached records, which is an increase of 336 percent from the previous year.

This highlights the cyber-criminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information. Another notable data point is the nuisance category with an increase of 102 percent accounting for 18 percent of all breached records, up 1474 percent since 2015.

Malicious outsiders were the leading source of data breaches, accounting for 68 percent of breaches, up from 13 percent in 2015. The number of records breached in malicious outsider attacks increased by 286 percent from 2015. Hacktivist data breaches also increased in 2016 by 31 percent, but only account for three percent of all breaches that occurred last year.

Data breaches by industry

Across industries, the technology sector had the largest increase in data breaches in 2016. Breaches rose 55 percent, but only accounted for 11 percent of all breaches last year. Almost 80 percent of the breaches in this sector were account access and identity theft related. They also represented 28 percent of compromised records in 2016, an increase of 278 percent from 2015.

The healthcare industry accounted for 28 percent of data breaches, rising 11 percent compared to 2015. However, the number of compromised data records in healthcare decreased by 75 percent since 2015. Education saw a fivepercent decrease in data breaches between 2015 and 2016 and a drop of 78 percent in compromised data records.

Government accounted for 15 percent of all data breaches in 2016. However the number of compromised data records increased 27 percent from 2015. Financial services companies accounted for 12 percent of all data breaches, a 23 percent decline compared to the previous year.

All industries listed in the ‘other' category represented 13 percent of data breaches and 36 percent of compromised data records. In this category, the overall number of data breaches decreased by 29 percent, while the number of compromised records jumped by 300 percent since 2015. Social media and entertainment industry related data breaches made up the majority.

Last year 4.2 percent of the total number of breach incidents involved data that had been encrypted in part or in full, compared to four percent in 2015. In some of these instances, the password was encrypted, but other information was left unencrypted. However of the almost 1.4 billion records compromised, lost or stolen in 2016, only six percent were encrypted partially or in full (compared to two percent in 2015).

Joe Pindar, director of product strategy and CTO at Gemalto, said: “The fact that the number of records stolen last year has increased despite a fall in the number of actual breaches highlights how hackers are becoming more efficient in how they retrieve and obtain critical data. With the upcoming introduction of GDPR set to make the reporting of breaches mandatory, these results should be a wakeup call to UK businesses to get their houses in order before the regulation kicks in and they are forced to reveal incidents that have occurred.

“UK businesses have just over a year to show they are putting the right protections in place, otherwise they face potential fines and loss of customer trust. While the UK's numbers seem small in comparison to the US, if businesses don't act now, they could find themselves closing that gap rapidly.”