A survey from Risk Based Security revealed that the number of records exposed in 2020 has increased to 36 billion globally. The survey “2020 Q3 Data Breach QuickView Report” stated that there were 2,953 publicly reported breaches in the first three quarters of 2020, a 51% decrease compared to the same period in 2019. The most exposed data types in the year included names and access credentials in the form of email addresses and passwords. Most data breaches occurred due to hacking, with 77.5% of events originating outside of the victim organization, 17% of breaches originating within the organization, and 67% due to errors.
- Two breaches in Q3 exposed over 1 billion records each and four breaches exposed over 100 million records. Together these six breaches accounted for approximately 8 billion exposed records, or 22.3% of the records exposed through the end of Q3.
- 2020 was already named the “worst year on record” by the end of Q2 in terms of the total number of records exposed. The three months of Q3 added an additional 8.3 billion records to the count, bringing the number of records exposed through the end of September to a staggering 36 billion.
- Malicious actors continue to be the driving force behind the number of breaches occurring, while misconfigured databases and services remain the leading cause behind the number of records exposed.
- In the first three quarter of 2020, 21% of reported breaches involved the use of ransomware. These ransomware-related events contributed to the unusually high number of unknown (11.2%) and miscellaneous (10.4%) data types exposed.
- Following well established trends, the health care sector had the most reported breaches, accounting for 11.5% of the events that could be attributed to a specific economic sector.
Inga Goddijn, Executive Vice President, Risk Based Security, said, “Breach disclosures continue to be well below the high-water mark established just last year despite other research indicating the number of attacks is on the rise. While many of these attacks are now clearly breach events, the nature of the data compromised can give some victim organizations a reprieve from reporting the incident to regulators and the public. After all, while the compromised data may be sensitive to the target organization, unless it contains a sufficient amount of personal data to trigger a notification obligation the event can go unreported.”