While the number of data breaches that occurred in 2015 stayed nearly the same as from the year before, the number of personal records compromised in data breaches almost doubled to over 169 million, the highest total since 2009. Some of the largest breaches in 2015 were in the health care industry which often included social security numbers and enough information to commit new account fraud. There were over 5 million records compromised in breaches targeting the banking and financial industry, and hackers continued to target merchants and other organizations for email or user ID and password combinations.
The number of data breaches reported by the Identity Theft Resource Center (ITRC) increased each year from 2011 to 2014, before staying flat in 2015 at 781, just about the same number of data breaches as last year (783). The number of sensitive records compromised, however, which can include Social Security numbers, payment card numbers, email/user name/password combinations or Protected Health Information (PHI), nearly doubled from 85.6 million to 169.1 million.
About two-thirds of the breached records tallied by the ITRC result from health care data breaches, with the Anthem and multiple Blue Cross data breaches leading the way. The Anthem data breach was the first major one of the year; nearly 79 million records were compromised including Social Security numbers, names, addresses and emails. The Office of Civil Rights (OCR) reports there were over 250 healthcare data breaches impacting at least 500 individuals. Three breaches labeled as hacking/IT incidents hit Blue Cross affiliates (Premera, Excellus, and CareFirst) with 11 million, 10 million, and 1.1 million records compromised.
The industry sector that allowed the second most number of records compromised was government/military with over 34 million records exposed, about one-fifth of the annual total. The most notable of these data breaches targeted the U.S. Office of Personnel Management exposing 21.5 million records of current and former Federal government employees and contractors.
While the number of records compromised in data breaches reached its highest total since 2009, the type of records compromised and being targeted are very different compared to then. Much of the compromised records from 2009 included credit card and financial data, including 130 million records from the Heartland Payment Systems breach. Other notable breaches in years past include Home Depot and Target, which also led to millions of payment card numbers being exposed. Aside from healthcare data in 2015, many breaches targeted account access information like user names, emails and passwords. This includes 37 million records targeting the dating site Ashley Madison, while Amazon reset an unknown number of account passwords after fearing a potential compromise of these records.
Several factors likely contributed to this shift in data breach targets, including the value of stolen payment card information on the black market and the shrinking window fraudsters often have to monetize this information (as issuers become more efficient in shutting down or flagging cards implicated in breaches). According to a recent study by Trend Micro, full payment card details for credit cards issued in the United States sell for no more than 22 cents per card when purchased in bulk, and this is for premium “dumps” where a very high percentage of the cards included are active. This research also found that login credentials for accounts sell for quite a bit higher. More valuable information includes Netflix account credentials which sell for an average of 76 cents each, Google Voice accounts selling for 97 cents each, taken over Facebook accounts for selling for over $3 each, hijacked Uber accounts selling for $3.78 each, and PayPal accounts with a $500 balance or greater sell for $6.43.
These data breach trends have important implications for eCommerce merchants and other organizations. First, that any site, app or service that has proprietary account logins with a password can be targeted with data breach attacks to obtain email/user name and password combinations, even if there isn’t any other information behind the accounts deemed valuable. Second, is that merchants can expect to see continued increases in account takeover attempts. With the high availability of email/user ID and password combinations and tendency for consumers to reuse passwords, it is not enough for organizations to trust that a user is authorized to access an account just because they can provide the correct credentials.
For more information: