Cyber crooks stole nearly three billion records containing consumers’ personally identifiable information (PII) in some 350 breaches last year that cost U.S. organizations a whopping $654 billion, a new report said.
What are the bad guys after? The types of data exposed in every breach range from date of birth/social security number (22% of all attacks) to name and physical address (20%), personal health information (18%) and banking information (12%), according to data compiled by ForgeRock, a privately-held, San Francisco-based identity and access management provider, in its new U.S. Consumer Data Breach Report.
The main door inside for the cyber thieves is by unauthorized access (34% of all attacks), followed by ransomware and malware (17%), mis-configuration (16%) and phishing (13%), the report said.
Key findings:
- $114 billion invested by enterprises in information security products and services in 2018 for a 12.4% increase from 2017.
- Almost half (48%) of all consumer data breaches hit the healthcare sector, four times as many in any other sector.
- Financial services and government were the second and third most victimized industries, collectively comprising 20% of all breaches.
- Although there were fewer financial sector breaches reported in Q1 2019 as compared to the year prior, the number of records impacted by these breaches grew by 78,900%.
- PII was the leading type of data breach in 2018, in aggregate comprising 97% of all breaches.
- Date of birth and/or social security numbers were the most frequently compromised type of PII in 2018, with 54% of breaches exposing this data.
- Name and physical address (49%) and personal health information (46%) were the second and third most commonly compromised type of PII in 2018.
To produce data for the study, ForgeRock evaluated U.S. electronic consumer data breaches reported between January 1, 2018 and March 31, 2019. Only breaches with a known number of consumers or records were incorporated in the report.
The long-term effects of data breaches, such as loss to reputation, reduced customer loyalty and other soft costs are hard to estimate, but should not be ignored, the company cautioned.
“It’s clear from our research findings that consumer data is valuable and highly sought after by cybercriminals as well as very difficult for organizations to protect,” said Eve Maler, ForgeRock’s vice president of innovation and emerging technology. “Organizations can protect consumer data by implementing a strong customer identity management program. Every industry has incentives to avoid brand damage and costly breaches, and so organizations must use modern techniques of identity and access management to secure their infrastructure, from servers in the data center to client applications and smart devices at the edge.”
Morningstar, Vodafone, GEICO, TomTom and Pearson are users of ForgeRock’s flagship Identity Platform. In addition, buyers include the governments of Norway, New Zealand, and Belgium. The nine-year old company has raised $140 million in four funding rounds. Venture capital backs include Accel Partners, Foundation Capital, Meritech Capital and KKR.
