1 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
2019 MidYear QuickView
Data Breach Report Issued August, 2019
Data as of July, 2019
2 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
3,813 breaches were reported through June 30, exposing over 4.1
billion records.
Compared to midyear of 2018, the number of reported breaches was
up 54% and the number of exposed records was up 52%.
Of the breached organizations that could be definitively classified, the
Business sector accounted for 67% of reported breaches, followed by
Medical (14%), Government (12%) and Education (7%). This continues
the trend observed in the Q1 2019 report.
In Q1, three breaches were reported as exposing over 100 million
records. In Q2 another five breaches were reported as exposing 100
million records or more. Collectively, these eight breaches exposed
over 3.2 billion records or 78.6% of the total records exposed through
June 30.
The Business sector accounted for 84.6% of the records exposed
followed by Unclassified at 14.8% and Medical at 0.3%. The
Government and Education sectors combined accounted for 12.9
million records exposed through the midyear point.
Web remains the number one breach type for number of records
exposed, accounting for 79% of compromised records, while Hacking
remains the number one breach type for number of incidents,
accounting for 82% of reported breaches.
Email addresses and passwords remain prized targets, with email
addresses exposed in approximately 70% of reported breaches and
passwords exposed in approximately 65% of reported breaches.
Executive Vice President
Key Findings
This report covers the data breaches captured by Risk Based Security
during the first six months of 2019. The information collected is
displayed in a sampling of charts depicting various groupings,
classifications, insights, and comparisons of the data from midyear.
Inga found her way to information security after
working for twenty years in the insurance industry.
During her time managing a multi-million dollar
portfolio of technology and cyber insurance
coverages, Inga witnessed first-hand the impact of
ineffective security program management and the
financial fallout from data breach events.
Recognizing the need for both better data and
better processes for managing security risk, Inga
joined Risk Based Security in 2013 where she is
responsible for Cyber Risk Analytics® and
YourCISO®.
As a strong advocate for sharing knowledge, Inga
has presented at a variety of industry forums and
has led many continuing education sessions
throughout the U.S. She currently holds a CIPP/US
designation.
3 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Table of Contents
What Did Breaches Look Like So Far in 2019? .............................................................4
How Bad Have Breaches Been? ……………….................................................................6
How Do Breaches Happen? ………………………………………………………………………………..7
A Note on Third Parties ……………………………………………………………………………………..8
Who Has Been Affected By These Breaches? ……………………………………………………..9
Closing Thoughts………………………………………………………………………………………………10
Top 10 Breaches in the First Six Months …………………………………………………………..11
Top 10 Breaches of All Time ……………………………………………………………………………..12
Methodology and Terms ………………………………………………………………………………….13
4 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
What Did Breaches Look Like So Far in 2019?
The breach trends observed in the first quarter continued and remained strong as we moved through the
midway point of the year. The disclosure rate for publicly reported breaches continued its breakneck pace,
jumping to over 3,800 breaches in the first six months. This represents a 50% or more increase over each of the
prior four years, begging the question: why?
The interest in user credentials is the key. Troves of username and password combinations continue to become
available on forums and file sharing sites while phishing for access credentials - a perennially popular method
for gaining access to systems and services - has surged in recent months, proving once again that tried and true
social engineering techniques still produce results for attackers.
The breach at Bodybuilding.com is a prime example of this trend. In July of last year, malicious actors gained
access to the company’s systems thanks to a successful phishing email. Hackers were able to move about the
system for approximately eight months, potentially accessing data ranging from customers names and
addresses to profile details and order history.
Incidents like the breach at Bodybuilding.com also explain why the Miscellaneous data type is growing. Should
something like order history and customer’s interests be captured in the profile of a breach event? We think so.
While not as sensitive as banking details or Social Security numbers, the data can be especially useful for
creating targeted phishing campaigns - so much so that organizations are beginning to warn users of the risk.
Bodybuilding.com did exactly this, stating in their FAQ’s to customers,
Despite the surge of social engineering, hacking still remains the number one breach type. Its prominence can
be linked to the growing number of vulnerabilities being reported in the cybersecurity landscape. This topic will
be further touched upon Risk Based Security’s upcoming VulnDB® MidYear QuickView Report.
Read on to learn more about the breach trends and statistics unfolding 2019.
Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data. If
the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data.
5 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Between 2015 and 2018, the variation in the number of reported breaches was less than 200 incidents. For the
first six months of 2019, the number of breaches increased by 54% compared to the same time last year. The
reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first
half of 2019. Although these tend to be relatively small events, averaging fewer than 230 records exposed per
incident, these leaks have contributed substantially to the number of access credentials freely available on the
Internet.
Tactics, Techniques and Procedures evolve over time but the end results have remained consistent.
Unauthorized access of systems or services (Hacking) and skimmers and exposure of sensitive data on the
Internet (Web) have been the top three breach types since January of 2018. Likewise insider actions, both
malicious and accidental, have driven the number of records exposed, with Web and Fraud accounting for over
6.7 billion records exposed over the last 18 months.
Figure 1: The number of breaches added by Q2 in the past 8 years. Figure 2: The number of known records exposed (in millions) by Q2 in the past 8 years.
Figure 3: The number of breaches added for the top five breach types. Figure 4: The number of records exposed (in millions) for the top five breach types.
6 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
How Bad Have Breaches Been?
Impact - much like beauty - is in the eye of the beholder. Ask anyone that has had their identity stolen how
impactful a breach has been and you’re likely to hear a story replete with heartache and countless hours lost to
repairing the mess. For the organizations suffering the breach, the experience can be very much the same.
Customers may shrug off the inconvenience of a password reset or services being temporarily unavailable
thanks to a ransomware event, but these situations can cost organizations dearly in terms of lost productivity,
dollars spent on investigation and remediation, and loss of customer loyalty.
Records Exposed Number
Unknown 780
1 to 9 45
10 to 99 1318
100 to 999 1216
1,000 to 9,999 325
10,000 to 99,999 114
100,000 to 999,999 51
1,000,000 to 9,999,999 52
10,000,000 or above 33
Type 2019 2018 2017
Email 70% 44% 32%
Password 64% 39% 27%
Name 23% 37% 41%
Misc. 18% 19% 15%
SSN 11% 22% 27%
Credit Card 11% 16% 19%
Address 11% 22% 30%
Account 10% 7% 4%
Unknown 8% 13% 18%
Date of Birth 8% 13% 12%
Medical 5% 9% 7%
Financial 5% 13% 19%
Impact can also be assessed in terms of the type of data exposed. Access credentials such as email addresses
and passwords are valuable for use in future attacks, but can also be easily changed, unlike date of birth or
Social Security numbers. Despite this, the focus on obtaining email addresses and passwords is clear from the
analysis below.
While singular experiences will vary greatly from one situation to the next, aggregating data across the
spectrum of breaches reported in the first six months of the year is revealing. On the whole, the majority of
breaches reported this year had a moderate to low severity score and exposed 10,000 or less records. Still,
severity increased by half a point (out of ten) between Q1 and Q2, as can be seen in Figure 5.
Figure 5: Severity distribution of breaches in Q1 and Q2.
Figure 6: The percentage of breaches that exposed a particular data type.
Table 2: Percentage of data types exposed through the midyear point.
Table 1: Number of breaches per range of records exposed.
7 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
How Do Breaches Happen?
“Never interrupt your enemy when he is making a mistake.” - Napoleon Bonaparte
Quarter after quarter the pattern repeats itself. The vast majority of incidents are attributable to malicious
actors outside of the organization, yet more and more sensitive data is exposed when insiders fail to properly
handle or secure the information. Case in point, misconfigured databases and services - 149 of the 3,813
incidents reported this year - exposed over 3.2 billion records.
Attackers have taken notice. The practice of targeting open, unsecured databases to either steal data or hold it
for ransom has ebbed and flowed over the past 2 years. Most recently, in May, independent security researcher,
Sanyam Jain, identified a new campaign by a group dubbed Unistellar. The group has been credited with wiping
the contents of more than 12,500 unprotected MongoDB databases, leaving behind nothing more than a brief
note with contact information for restoration.
Unknown: 1%
Figure 7: Distribution of the attack vector, broken down by the type/motivation of attack.
Unknown: 15%
Unknown (Inside): 14%
Accidental (Inside): 58%
Malicious (Inside): 12%
Outside: 89%
Inside: 8%
8 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
A Note on Third Parties
In the first 6 months of the year, 137 breaches exposed sensitive data belonging to third parties. While some of
these events were relatively mundane, others had far-reaching implications. Perhaps none was worse than the
compromise at American Medical Collection Agency (AMCA).
Initially reported as a breach at Quest Diagnostics, it quickly became clear the breach actually occurred at AMCA.
Founded in 1977, and specializing in collections for medical labs, AMCA served some of the biggest names in
the industry.
Around August 1, 2018, only three years after AMCA converted
from an IBM mainframe system running COBOL4, hackers
infiltrated AMCA’s network and pilfered over 22 million debtors’
records including data such as names, addresses, dates of birth,
Social Security numbers and financial details.
The fallout has been substantial. Clients severed their relationship
with AMCA, consumer lawsuits were filed within days of the initial
breach disclosure and most devastating of all, AMCA was forced
into filing for bankruptcy protection a mere 2 weeks after news of
the breach made headlines.
A closer look at breaches impacting third parties, and their data,
shows a striking difference compared to all breaches in Q2. Email
addresses and passwords fall toward the bottom of the data
types compromised while names, addresses, Social Security
numbers and dates of birth climb to the top of the chart. Not only
can these breaches be more difficult to manage given the multiple
parties involved, they can also have more damaging
consequences for the individual’s whose data is exposed in the
event.
Figure 8: The number of third-party breaches added by Q2 in the past 8 years. Figure 9: The number of known third-party records exposed by Q2 in the past 8 years.
Figure 10: The percentage of third-party breaches that exposed a particular data type.
9 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Who Has Been Affected By These Breaches?
No place is “safe” from a breach, but some countries and certain
industries are more proactive when it comes to breach disclosure
than others.
Reporting of breach events is largely
driven by a statutory obligation to do
so. Where these laws do not exist,
breaches can be swept under the rug.
Figure 11: The number of breaches by location.
Figure 12: The number of breaches affecting each business type and sub-type.
2,449
1,132
10 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Closing Thoughts
Figure 14 highlights that US states, no matter the number of
breaches, generally didn’t expose many records by midyear 2019.
The only exception to this was California. While it had a similar
number of breach events as Florida, its breaches exposed about a
billion more records in total. It should come as no surprise that two-
thirds of breaches that occurred in California, a more technological
state that Florida, are due to hacking. This likely accounts for the
greater loss of records compared to Florida, whose incidents were
largely the result of skimming.
A better equivalence exists between Florida and Texas, as both
states have been a haven for skimmers this year. Texas, with its long
distances between metro areas, saw 91% of the skimming incidents
reported in the state occurring due to devices installed on gas
pumps. Skimming was the top breach type in Florida but the state
did see a bit more diversity, with 75% of those incidents taking place
at gas pumps and the remainder discovered on ATMs.
Looking over the first six months of the year it is difficult to find much to inspire an optimistic outlook. The number
of breaches is up and the number of records exposed remains stubbornly high. What is clear is that despite the
awareness of the issue among business leaders and the best efforts of defenders, data breaches continue to take
place at an alarming rate.
As we put the finishing touches on this MidYear report,
2019 surpassed the total number of breaches
reported in 2016. Once again, we are on track for
another “worst year on record” for breach activity.
Figure 14: The number of breaches vs records exposed (in billions), per US state. Figure 13: The number of breaches affecting each economic sector.
11 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Top 10 Breaches in the First Six Months
Organization Reported Severity Records Exposed Data Type Breach Type Inside / Outside Location
Verifications.io 3/7/19 10 982,864,972 ADD / DOB /
EMA / FIN / MISC
/ NAA / NUM /
PWD
Web Inside- Accident Estonia
982,864,972 names, addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, personal
mortgage amounts, and FTP server credentials exposed on the Internet due to a misconfigured database
First American
Financial
Corporation
5/24/19 10 885,000,000 ADD / EMA / FIN
/ MISC / NAA /
NUM / SSN
Web Inside- Accident United States
Approximately 885,000,000 real estate closing transaction records containing names, Social Security numbers, phone numbers,
email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers exposed
on the Internet due to IDOR flaw
Cultura Colectiva 4/3/19 10 540,000,000 ACC / MISC Web Inside- Accident Mexico
Facebook user IDs, account names, comments, and likes exposed on the Internet due to a misconfigured database
Unknown
Organization
5/1/19 9.51893 275,265,298 DOB / EMA / FIN
/ MISC / NAA /
NUM
Web Inside- Accident India
275,265,298 Indian citizens' names, email addresses, genders, dates of birth, phone numbers, education details, and
employment details such as salaries, professional skills, and employer history held in publicly indexed MongoDB instance taken
by Unistellar hacking group
Unknown
Organization
1/10/19 9.3861 202,730,434 ADD / DOB /
EMA / MISC /
NAA / NUM
Web Inside- Accident China
202,730,434 job applicant names, addresses, dates of birth, phone numbers, email addresses, marriage statuses, driver’s
license numbers, professional experiences, and job expectations exposed on the Internet due to a misconfigured database
Dubsmash, Inc. 2/12/19 9.81036 161,549,210 EMA / MISC /
NAA / PWD / USR
Hack Outside United States
161,549,210 users' names, IDs, email addresses, usernames, SHA256-hashed passwords, languages, and countries stolen by
hackers and later offered for sale
Canva 5/24/19 9.74508 139,000,000 EMA / MISC /
NAA / NUM / USR
Hack Outside Australia
139,000,000 customer names, usernames, email addresses, bcrypt hashed passwords, and location information stolen by
hackers through undisclosed means
Justdial 4/17/19 9.07918 100,000,000 ADD / DOB /
EMA / MISC /
NAA / NUM
Web Inside- Accident India
100,000,000 users' names, addresses, email addresses, phone numbers, dates of birth, genders, photos, occupations, and
company names exposed online due to a publicly accessible API endpoint
ApexSMS Inc. dba
Mobile Drip
5/9/19 8.68154 80,055,125 ADD / EMA /
MISC / NAA /
NUM
Web Inside- Accident United States
80,055,125 records containing MD5 hashed email addresses, full names, partial physical addresses, IP addresses, phone
numbers, cellular network providers and line types held in a misconfigured database
Unknown
Organization
4/29/19 8.98227 80,000,000 ADD / DOB / FIN
/ MISC / NAA
Web Inside- Accident United States
80,000,000 names, addresses, ages, dates of birth, genders, incomes, marital statuses, homeowner statuses, and dwelling types
exposed on the Internet due to a misconfigured database
12 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Top 10 Breaches of all Time
Organization Reported Severity Records
Exposed
Data Type Breach Type Inside / Outside Location
Altaba, Inc
(formerly known
as Yahoo)
12/14/16 10 3,000,000,000 DOB / EMA / MISC /
NAA / NUM / PWD
Hack Outside United States
3,000,000,000 customer names, email addresses, phone numbers, dates of birth, and MD5 hashed passwords, as well as an
unknown number of security questions and answers stolen by hackers using stolen proprietary code
DU Group dba DU
Caller
5/13/17 10 2,000,000,000 ADD / NAA / NUM Web Inside China
2,000,000,000 user phone numbers, names, and addresses inappropriately made accessible to others through an uncensored
public directory
River City Media,
LLC (RCM)
3/3/17 10 1,374,159,612 ADD / EMA / FIN /
MISC / NAA
Web Inside- Accident United States
1,374,159,612 names, addresses, IP addresses, and email addresses, as well as an undisclosed number of financial documents,
chat logs, and backups exposed by faulty Rsync backup
NetEase, Inc. dba
163.com
1/25/17 10 1,221,893,767 EMA / PWD Hack Outside China
1,221,893,767 email addresses and passwords stolen by hackers and sold on the Dark Web by DoubleFlag
Unknown
Organization
1/3/18 10 1,190,000,000 ADD / EMA / MISC /
NAA / NUM / SSN
Fraud SE Unknown India
1,190,000,000 names, Aadhaar numbers, addresses, phone numbers, email addresses, postal codes, and photographs of Indian
citizens made available to unauthorized users, most likely by former village-level enterprise (VLE) operators selling access to the
Aadhaar database
Verifications.io 3/7/19 10 982,864,972 ADD / DOB / EMA /
FIN / MISC / NAA /
NUM / PWD
Web Inside- Accident Estonia
982,864,972 names, addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, personal
mortgage amounts, and FTP server credentials exposed on the Internet due to a misconfigured database
First American
Financial
Corporation
5/24/19 10 885,000,000 ADD / EMA / FIN /
MISC / NAA / NUM /
SSN
Web Inside- Accident United States
Approximately 885,000,000 real estate closing transaction records containing names, Social Security numbers, phone numbers,
email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers exposed on
the Internet due to IDOR flaw
Unknown
Organization
8/29/17 9.63002 711,000,000 EMA / MISC / PWD Web Inside- Accident Netherlands
711,000,000 email addresses, passwords, and SMTP credentials exposed on the Internet due to a misconfigured spambot
database
Cultura Colectiva 4/3/19 10 540,000,000 ACC / MISC Web Inside- Accident Mexico
540,000,000 Facebook user IDs, account names, comments, and likes exposed on the Internet due to a misconfigured database
Altaba, Inc
(formerly known
as Yahoo)
9/22/16 10 500,000,000 DOB / EMA / MISC /
NAA / NUM / PWD
Hack Outside United States
500,000,000 user names, email addresses, phone numbers, dates of birth, bcrypt hashed passwords and some security questions
and associated answers compromised by hackers
Three breaches reported this year have made the list of the ten largest breaches of all time.
13 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
Methodology and Terms
Risk Based Security’s research methods include automated processes coupled with traditional human research
and analysis. Our proprietary applications crawl the Internet 24x7 to capture and aggregate potential data
breaches for our researchers to analyze. In addition, the research team manually verifies news feeds, blogs,
and other sources looking for new data breaches as well as new information on previously disclosed incidents.
The database also includes information obtained through Freedom of Information Act (FOIA) requests, seeking
breach notification documentation from various state and federal agencies in the United States. The research
team extends our heartfelt thanks to the individuals and agencies that assist with fulfilling our requests for
information.
Data Standards and the Use of “Unknown”
In order for any data point to be associated with a breach entry, Risk Based Security requires a high degree of
confidence in the accuracy of the information reported as well as the ability to reference a public source for the
information. In short, the research team does not guess at the facts. For this reason the term “Unknown” is
used when the item cannot be verified in accordance with our data validation requirements. This can occur
when the breached organization cannot be identified but leaked data is confirmed to be valid or when the
breached organization is unwilling or unable to provide sufficient clarity to the data point.
Data Type Definitions
Abbreviation Description
CCN Credit Card Numbers
SSN Social Security Numbers (or Non-US Equivalent)
NAA Names
EMA Email Addresses
MISC Miscellaneous
MED Medical
ACC Account Information
DOB Date of Birth
FIN Financial Information
UNK Unknown / Undisclosed
PWD Passwords
ADD Addresses
USR User Name
NUM Phone Number
IP Intellectual Property
14 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.
About Risk Based Security Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Vendor Risk
Ratings, and Data Breaches. Our products, Cyber Risk Analytics (CRA), VulnDB and YourCISO, provide
organizations access to the most comprehensive threat intelligence knowledge bases available, including
advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the
right actions in a timely manner.
For more information, visit www.riskbasedsecurity.com or call +1 855-RBS-RISK.
About Cyber Risk Analytics
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data
breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact
them and their vendor base. In addition, our PreBreach® vendor risk rating, the result of a deep-view into the
metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the
likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor
management programs, cyber insurance processes and risk management tools allows organizations to avoid
costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately
to proactively protect its most critical information assets.
For more information, or to request a demo, visit www.cyberriskanalytics.com.
No Warranty
Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy,
completeness or that it includes all the latest data breaches. The information contained in this report is general
in nature and should not be used to address specific security issues. Opinions and conclusions presented
reflect judgment at the time of publication and are subject to change without notice. Any use of the information
contained in this report is solely at the risk of the user. Risk Based Security, Inc. assumes no responsibility for
errors, omissions, or damages resulting from the use of or reliance on the information herein. If you have
specific security concerns please contact Risk Based Security, Inc. for more detailed data loss analysis and
security consulting services.