The news recently erupted with the story of the Equifax breach. Hackers compromised 143 million records, sensitive data which included people’s Social Security numbers and payment card data.
Although the Equifax incident is certainly nothing to flippantly dismiss, data breach events of this magnitude are becoming increasingly rare.
So far, Equifax is the largest data breach incident of 2017, and runner up is Edmodo, a social educational platform used in schools, from which hackers stole 77 million user accounts. Only 11 data breach incidents broke 1 million compromised records this year, and only four included personally identifiable information (PII), while three compromised payment card information.
These large data breach events occur once every few months, and even then, some of them don’t receive coverage beyond regional news sources. Some data breaches which compromise PII don’t make it into the news at all, and I think those small events—which occur on a daily basis, by the way—are just as dangerous as the infrequent “mega breaches.”
Tracking the range of breaches
For the past three years I have kept track of data breach events by gathering information from sources such as Privacy Rights Clearinghouse and Identity Theft Resource Center. I place each occurrence into a spreadsheet and categorize them by name, date, type of breach (hack, ransomware, phishing, etc.), information stolen, and number of records compromised, as well as the origin of the attack, if I can find it.
So far, 2017 has seen 734 separate cybercrimes, 490 of which have resulted in the theft of PII, like Equifax.
In those 490 PII breaches, well over 155 million records were stolen. Equifax’s debacle accounted for 143 million by itself, of course, so perhaps that total doesn’t seem like an overly alarming number.
Would it make a difference if I told you that 327 of those 490 breached entities didn’t even know how many people were affected in their incidents?
The breached entities include tax preparation firms, dentists’ offices, hospitals, private practice physicians’ offices, schools, restaurants, retailers, financial institutions, and even the government computers of small communities.
They were hacked, fell for a phishing scam, or had their files held for ransom. Often, these incidents never made the evening news. Victims may have received a letter, and the incident was reported to the required authorities, but nothing more.
There is no way to know exactly how many records were compromised in these small incidents. It could be a relatively insignificant, or a shockingly exorbitant number. Either way, these data breach events should not be ignored. People typically become more vigilant immediately following mega breaches, but in reality, sensitive information is stolen nearly every single day.
Fortunately, financial institutions are still among the least impacted business types, but the number of data breach events is rising. In 2017, there were 43 separate data breach events involving financial intuitions, compared to 34 in 2016, 20 in 2015, and 20 in 2014. Financial institutions were hacked, fell for phishing scams, or had criminals steal data by installing skimming devices on their ATMs.
“Small” puts you in criminals’ cross-hairs
As large companies with millions of records tighten their security measures to avoid making national headlines, cyber criminals will turn to smaller organizations.
A rising trend is the use of phishing scams. In 2017, there were 240 phishing scam events, compared to 145 in 2016 and 16 in 2015. They’re easy to launch, simple, and criminals love to use them on small companies. It doesn’t matter how tight your cybersecurity is, if a single employee mistakes a phisher’s fraudulent email for an urgent order from their CEO and sends PII records such as tax documents or employee files, you’re breached.
The mega breaches are frightening and provide that momentary surge of adrenaline some organizations require in order to tighten their cybersecurity, but companies a quarter of the size of Equifax become victims of hackers nearly every day.
Pay attention. The HR Director at the paper supply company down the street from your bank fell for a phishing scam yesterday, and hundreds of your customers are at risk for identity theft while you’re just calming down after the Equifax scare.
- Third-Party Risk Management “Essential” As More Banks Partner with FinTechs
- FDIC “Missed Opportunities” in First Republic Bank Supervision
- OCC Extends Deadline for Comments for Long-Term Debt Rule
- How Financial Institutions Can Address Their Top Cybersecurity Challenges
- Rising Credit Card Debt Increasing Financial Pressure