We periodically update this post with recent data breach statistics. Now that we’re into 2018, it’s time to look back at the largest data breaches of 2017.
We here at Revision Legal know that cyber-attacks are a constant threat. The number of data breaches is large and the amount of customers affected is staggering. Data breaches are bad for business and can be even worse for customers. We monitor the research and news reports to periodically update this post with 2017 cyber-attack statistics. In this final installment, we look at the worst breaches in the fourth quarter of 2017. For 2017, the largest cyber-attack related to consumers in the United States was the Equifax data breach that affected more than 145 million customers.
Based on records tabulated and compiled by Hackmaggedon.com, there were 868 reported 2017 security breaches and/or cyber-attacks. For the year, the worst months were August, October, and December with 90 each. January came in next at 89 reported cyber-attacks. The spring months saw a relative dip in attacks with those months averaging about 65 attacks.
We shouldn’t be surprised at the number of security breaches that occurred in 2017. Nor should we be surprised at how rapidly cybersecurity attack techniques evolve to affect more computers and devices than ever before. Hackers’ reaches will only keep expanding as time goes on.
Reflecting on Hacking Statistics From 2015 and 2016
Data from the two previous years clearly indicates a pattern in which cyber security breaches are occurring ever more frequently. In 2015, for instance, there were more than 177,866,236 personal records exposed via 780 data security breaches, according to the ITRC Data Breach Reports. In 2015, hacks occurred in every single state in the US, and the breakdown of the breached targets by type of entity is as follows:
- Businesses were the target of 40% of the security breaches (312 breaches).
- Medical and Healthcare entities made up 35.4% of data breach targets (276 breaches).
- Government or military targets made up 8.1% of cybersecurity breaches (63 breaches).
- Educational institutions accounted for 7.4% of data breaches (58 breaches).
In 2016, hackers not only logged an uptick of 38% in their use of phishing type security attacks according to “Key findings from the Global State of Information Security® Survey 2017” by PricewaterhouseCoopers, but it also became well-known that hackers were finding devices to target beyond computer systems and networks. Unsecure wireless medical devices, mobile devices, and even cloud architecture all came under attack in 2016. With security breaches arising on multiple fronts, companies, healthcare systems, governmental and educational entities, and individuals started to realize how real the threat of cyber security attacks was. In order to combat attacks, people began to increase their use of data security protection measures in 2016:
- 52% of individuals, businesses and entities use intrusion detection tools.
- 51% actively monitor and analyze security information for their vulnerable systems.
- 48% conduct vulnerability assessments.
- 47% utilize security information and event management tools.
- 47% regularly conduct cyber security threat assessments of their systems.
- 45% subscribe to a threat intelligence service.
- 44% engage in data system penetration testing.
2017 High-Profile Breaches
Cyber-attacks are happening in 2017 at double the rate of 2016. According to Hackmageddon.com, there are dozens of cyber-attacks each month, affecting the personal and user information of literally billions of internet users worldwide.
Below is a list of the biggest 2017 security breaches and hacks month-by-month from records tabulated and compiled by Hackmageddon.com.
January 2017 – 89 Cyber-attacks
Winner: The Big Asian Leak
185 billion customers were affected by these hacks. Technically, these hacks took place from October 2015 to the end of 2016. However, the data was first offered for sale on the dark web in January 2017 by the vendor “DoubleFlag.” DoubleFlag offered to sell account information hacked from the most popular Chinese websites including NetEase, Inc, 126.com, 163.com, Yeah.net, QQ.com, Tom.com, Sina.com/Sina.com.cn, Sohu.com and eYou.com. Listed for sale were names, addresses, usernames, passcodes, other personal information and some financial information for 1.85 billion customers — yes, billion. See report here.
The companies owning or running the websites have either denied they were hacked or have refused to comment.
Honorable Mention: DC Police Department
In late January, the District of Columbia Police reported that ransomware was in 70% of the storage devices that record data from D.C. police surveillance cameras eight days before inauguration day. As reported here, city officials announced that the ransomware incapacitated police cameras between January 12 and January 15 and affected 123 of 187 network video recorders for public spaces across the city. Law enforcement had to frantically reinstall software for all the cameras in the lead-up to the inauguration.
February 2017 – 76 Cyber-attacks
FunPlus, the company that makes a popular free-to-play mobile game called “Family Farm Seaside,” was hacked, compromising information on 3.3 million users. The hacker also stole product source code from the company. The hacker reportedly talked to reporters for Vice.com and said: “I decided I’m just gonna publish everything and let their investors see what a joke their security and s**t is.”
Runner-Up: Hitachi Payment Services
Hitachi Payment Services confirmed that, in mid-2016, malware hacked its servers and stole personal and financial data for 3.2 million customers in India including credit card information. This data breach was first reported in February 2017. The hack was particularly problematic because the malware securely deleted various tracing/tracking information making it impossible to know exactly what data was exfiltrated by the malware. The breach led to a massive downturn in credit card use and significant damage to revenues and profits.
March 2017 – 64 Cyber-attacks
Winner: Dun & Bradstreet.
According to report, a 52GB database was stolen containing information on 33.7 million people. The data was arranged in searchable fields and contained specific details about each of the people involved from job title to email address, etc. According to the report, the employees in the database were from thousands of companies and government agencies, representing a large swath of the US corporate and government population. For example, the Department of Defense had over 100,000 employee records on the database, followed by the US Postal Service with over 88,000. AT&T, Boeing, Dell, FedEx, IBM, and Xerox were among the most named companies in the database, with tens of thousands of employee records each.
The database was used by marketers for targeted email promotions. So the data was not necessarily particularly personal in nature. But it was a sizable and large financial loss to Dun & Bradstreet to have the database stolen.
April 2017 – 85 Cyber-attacks
More than a million accounts were hacked and compromised from the servers of the online gaming company. Leaked data included usernames, passwords, email addresses, IP addresses, and other optional record fields, such as instant messenger IDs, birthdays, and Facebook related details. See report here.
May 2017 – 67 Cyber-attacks
Winner: WannaCry Ransomware
While not a data breach, no 2017 cyber-attack list would be complete without listing WannaCry. The ransomware infected computers and servers in 74 countries, millions of users across the world, and, affected hospitals, businesses like Fedex, rail stations, universities, at least one national telco, etc. See report here.
June 2017 – 64 Cyber-attacks
According to reports, 8Track, the most popular internet radio service provider, suffered a data breach which compromised 18 million user accounts. The data hacked included usernames, email addresses, and partially encrypted passwords. According to the owner of 8Tracks, the only accounts compromised were accounts authenticated through Github without two-factor authentication activated. Reports indicate that 8Track accounts authenticated via Google or Facebook authentication were not affected by the hack.
July 2017 – 69 Cyber-attacks
Winner: Reliance Jio
The largest breach of personal data ever in India happened when 120 million customers of Reliance Jio, one of India’s largest mobile phone carriers, had their personal data hacked. Among the data stolen were customer names, mobile numbers, email addresses, and the unique ID number of the phone. This information was then listed for sale. See report here.
Honorable Mention: HBO
Hackers obtained 1.5 terabytes of data from the computers of HBO. The hackers claimed to have released then-upcoming episodes of Ballers and Room 104. The hackers also claimed to have released a script from a then-upcoming episode of Game of Thrones. No ransom was demanded. See report here.
August 2017 – 90 Cyber-attacks Tabulated
Winner: Misconfigured Spambot
User data was leaked with respect to 700 million web users worldwide on many and various worldwide internet platforms. See report here. Essentially, a misconfigured spambot left an open door to anyone who knew or noticed that the door was there. It is unknown how many times the data was accessed. Data leaked was email addresses, passwords and lesser amounts of personal contact information associated with the email addresses.
September 2017 – 76 Cyber-attacks
143 million customers of the credit reporting service had their personal and financial information stolen. The hack occurred over several weeks in May and June 2017 and was disclosed in late July. Since the first reports, Equifax has reported an additional 2 million customers were affected by the hack. See here. The Equifax data breach has subjected Equifax to government investigation.
October 2017: 90 Cyber-attacks
Winner: Malaysian telcos and mobile virtual network operators — 46.2 million cellphone users
According to reports, computer systems for the largest Malaysian telephone companies and mobile network operators were hacked, revealing information for 46.2 million phone users. The information included phone numbers, names, addresses and included both paid and prepaid numbers, as well as sim card information and the IMEI and IMSI numbers. See report here.
Honorable Mention: Disqus — 17.5 million users
In October 2017, Disqus, the internet’s largest provider of hosted posting comments for blogs and websites, announced they were the victim of a data breach in the summer of 2012. See report here. During the hack, an unknown attacker stole user account details including email addresses, usernames, sign-up dates, and last login dates in plain text and SHA-1 hashed passwords for about one-third of the service’s 17.5 million users. According to reports, Disqus took less than 24 hours to assess, confirm, and respond to the security breach – one of the best response times ever recorded. So “kudos” to Disqus and their cyber-attack response team.
November 2017: 84 Cyber-attacks
Winner: Uber Technologies — 57 million accounts
In October, 2016, 57 million Uber drivers and customers had their personal details accessed by a hacker group. The hackers first gained access to a private software repository then used those credentials to gain escalated access privileges to more sensitive information. As the stolen information included drivers license numbers Uber was legally required to report the data breach. See here for a discussion of the Montana notification law. However, Uber’s security team took the unusual step to offer the hackers $100,000 to keep the story quiet. In November, 2017 the story of the cyber-attack and payoff became known and was another public relations quagmire for the company. Bloomberg has the story here.
Honorable Mention: Google Play Store and Android App Users
Four separate reports surfaced in November of 2017 related to cyber-security for users of Android mobile apps that are normally downloaded from Google Play Store.
First, infecting just 1,300 devices, Google revealed the details of spyware dubbed “Tizi.” This infected at least one app available on Google’s Play Store. It was a spyware for Android with extensive data-stealing capabilities. Google removed the relevant app from its Play Store immediately.
Second, the malware dubbed ToastAmigo was reportedly downloaded by more than 500,000 Android users. Once loaded, ToastAmigo is able to download other malware and engage in self-protection and self-hiding actions. See report here.
Third, it was announced the Google Play Store had eight apps that contained malicious multi-stage malware called Android/TrojanDropper.Agent.BKY. In the final stage of the malware, fake screens are loaded in place of legitimate website screens wherein users input personal and payment information which is then sent to the hackers. See here.
Finally, it was reported that at least 17.4 million Android users have downloaded a Trojan dubbed Grabos found in 144 separate mobile applications. Grabos increases the rate of “recommended apps” that are offered to the user. Many users enjoy that feature and end up downloading the recommended apps. The apps are real, so Grabos is not particularly malicious. But the Grabos creator apparently makes money when the recommended apps are downloaded.
December 2017: 90 Cyberattacks
Winner: PayPal and its newly acquired subsidiary TIO Networks — 1.6 million users
In July of 2017, PayPal acquired a company called TIO Networks, a publicly traded payment processor. In early December, PayPal suspended the operations of TIO after a review of TIO’s network identified a potential security breach of personally identifiable information for approximately 1.6 million customers. The TIO computer network had been kept segregated from the PayPal’s, so no PayPal systems were compromised. This is a public relations downside for PayPal since the company never wants to see the word “PayPal” in the same headline as “data breach” and it appears there may have been a lapse in diligence before the acquisition. Finally, this is a good lesson on how to prevent a data breach from spreading throughout a system: quarantine new systems until the fully vetted.
Honorable Mention: Nissan Canada Financing — 1.1 million customers
At the end of 2017, on December 22nd Nissan Canada announced that its computer systems were compromised on the 11th, with “unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance or Infiniti Financial Services Canada.” See report here.
Revealed in the public admission was that 1.13 million customers were affected. The exposed data includes at least customer names, addresses, vehicle makes and models, vehicle identification numbers (VINs), credit scores, loan amounts and monthly payment figures but, reportedly, did NOT include personal banking information, such as card numbers. In response, Nissan Canada offered offering 12 months of free credit monitoring to its customers.
Take Steps to Protect Your Business From Cyber Security Breaches
Most data security breaches are the result of an oversight somewhere in the system. Companies large and small are being hacked due to vulnerabilities in their computer systems that are identified and exploited by hackers. Companies need to follow cyber security best practices to protect themselves and their customers’ personal information. They need to give cyber security the time and resources necessary to rebuff cyber attacks and to neutralized cyber threats or face growing liability and higher fines.
Since the area of cyber-security is constantly changing and evolving, cyber-security needs to be regularly evaluated to determine whether particular defensive measures are effectively addressing threats and risks. Only through diligent and consistent efforts can business rise to the challenge posed by hackers invading their computer systems.
Contact Revision Legal
Cyber security breaches are a real threat, whether it is to your business, the institution that you work for, or to your own personal computer system and devices. When you are hacked, or information that was entrusted to you was potentially accessed in a data security breach, you must act quickly to understand your rights and obligations concerning notification of potential victims. You should retain the assistance of an experienced cyber security attorney like the professionals at Revision Legal. Contact us today using the form on this page or by calling us at 855-473-8474.
Photo Credit to Flickr user Jim Kaskade.
Editors note: this was originally published in December, 2016, and updated in October, 2017. It has been updated in March, 2018 for clarity and comprehensiveness.