We periodically update this post with recent data breach statistics. Now that we’re into the final quarter of 2017, it’s time to look back at the largest data breaches of 2017.
We shouldn’t be surprised at the number of security breaches that have already happened in 2017, looking back at the hacking statistics from 2015 and 2016. Nor should we be surprised about how rapidly cybersecurity attackers are evolving their techniques to affect more computers and devices than ever before. Hackers’ reaches will only keep expanding as time goes on.
Reflecting on Hacking Statistics From 2015 and 2016
Data from the two previous years clearly indicates a pattern in which cyber security breaches are occurring ever more frequently. In 2015, for instance, there were more than 177,866,236 personal records exposed via 780 data security breaches, according to the ITRC Data Breach Reports. In 2015, hacks occurred in every single state in the US, and the breakdown of the breached targets by type of entity is as follows:
- Businesses were the target of 40% of the security breaches (312 breaches).
- Medical and Healthcare entities made up 35.4% of data breach targets (276 breaches).
- Government or military targets made up 8.1% of cybersecurity breaches (63 breaches).
- Educational institutions accounted for 7.4% of data breaches (58 breaches).
In 2016, hackers not only logged an uptick of 38% in their use of phishing type security attacks according to “Key findings from the Global State of Information Security® Survey 2017” by PricewaterhouseCoopers, but it also became well-known that hackers were finding devices to target beyond computer systems and networks. Unsecure wireless medical devices, mobile devices, and even cloud architecture all came under attack in 2016. With security breaches arising on multiple fronts, companies, healthcare systems, governmental and educational entities, and individuals started to realize how real the threat of cyber security attacks was. In order to combat attacks, people began to increase their use of data security protection measures in 2016:
- 52% of individuals, businesses and entities utilized intrusion detection tools.
- 51% actively monitor and analyze security information for their vulnerable systems.
- 48% conduct vulnerability assessments.
- 47% utilize security information and event management tools.
- 47% regularly conduct cyber security threat assessments of their systems.
- 45% are subscribed to a threat intelligence service.
- 44% engage in data system penetration testing.
2017 High-Profile Breaches
Cyberattacks are happening in 2017 at double the rate that they occurred in 2016. According to Hackmageddon.com, there are dozens of cyberattacks each month, affecting the personal and user information of literally billions of internet users worldwide.
Below is a list of the biggest 2017 data breaches and hacks month-by-month from records tabulated and compiled by Hackmageddon.com.
January 2017 – 89 Cyberattacks
Winner: The Big Asian Leak
185 billion customers were affected by these hacks. Technically, these hacks took place from October 2015 to the end of 2016. However, the data was first offered for sale on the Darkweb in January 2017 by a dark web vendor called “DoubleFlag.” DoubleFlag offered to sell account information hacked from the most popular Chinese websites including NetEase, Inc, 126.com, 163.com, Yeah.net, QQ.com, Tom.com, Sina.com/Sina.com.cn, Sohu.com and eYou.com. The account information included names, addresses, usernames, passcodes, other personal information and some financial information for 1.85 billion customers — yes, billion. See report here.
The companies owning or running the websites have either denied they were hacked or have refused to comment.
Honorable Mention: DC Police Department
In late January, the District of Columbia Police reported that ransomware infected 70% of the storage devices that record data from D.C. police surveillance cameras eight days before inauguration day. As reported here, city officials announced that the ransomware incapacitated police cameras between January 12 and January 15 and affected 123 of 187 network video recorders for public spaces across the city. Law enforcement was forced to reinstall software for all the cameras in a frantic effort in the lead-up to the inauguration.
February 2017 – 76 Cyberattacks
FunPlus, the company that makes a popular free-to-play mobile game called “Family Farm Seaside,” was hacked, compromising information on 3.3 million users. The hacker also stole product source code from the company. The hacker reportedly talked to reporters for Vice.com and said: “I decided I’m just gonna publish everything and let their investors see what a joke their security and s**t is.”
Runner-Up: Hitachi Payment Services
Hitachi Payment Services confirmed that, in mid-2016, malware hacked its servers and stole personal and financial data for 3.2 million customers in India including credit card information. This data breach was first reported in February 2017. The hack was particularly problematic because the malware securely deleted various tracing/tracking information making it impossible to know exactly what data was exfiltrated by the malware. The breach led to a massive downturn in credit card use and significant damage to revenues and profits.
March 2017 – 64 Cyberattacks
Winner: Dun & Bradstreet.
According to report, a 52GB database was stolen containing information on 33.7 million people. The data was arranged in searchable fields and contained specific details about each of the people involved from job title to email address, etc. According to the report, the employees in the database were from thousands of companies and government agencies, representing a large swath of the US corporate and government population. For example, the Department of Defense had over 100,000 employee records on the database, followed by the US Postal Service with over 88,000. AT&T, Boeing, Dell, FedEx, IBM, and Xerox were among the most named companies in the database, with tens of thousands of employee records each.
The database was used by marketers for targeted email promotions. So the data was not necessarily particularly personal in nature. But it was a sizable and large financial loss to Dun & Bradstreet to have the database stolen.
April 2017 – 85 Cyberattacks
More than a million accounts were hacked and compromised from the servers of the online gaming company. Leaked data included usernames, passwords, email addresses, IP addresses, and other optional record fields, such as instant messenger IDs, birthdays, and Facebook related details. See report here.
May 2017 – 67 Cyberattacks
Winner: WannaCry Ransomware
While not a data breach, no 2017 cyberattack list would be complete without listing WannaCry. The ransomware infected computers and servers in 74 countries and, as the report says, affected hospitals, businesses like Fedex, rail stations, universities, at least one national telco, etc. Millions of users were impacted worldwide. See report here.
June 2017 – 64 Cyberattacks
According to reports, 8Track, the most popular internet radio service provider, suffered a data breach which compromised 18 million user accounts. The data hacked included usernames, email addresses, and partially encrypted passwords. According to the owner of 8Tracks, the only accounts compromised were accounts that were authenticated through Github. When created, those accounts were not secured using two-factor authentication. Purported, accounts authenticated via Google or Facebook authentication were not affected by the hack.
July 2017 – 69 Cyberattacks
Winner: Reliance Jio
120 million customers of Reliance Jio had their personal data hacked. Reliance Jio is one of India’s largest mobile phone carriers. This was the largest breach of personal data ever in India. Among the data stolen was customer names, mobile numbers, email addresses, and the unique ID number of the phone. The hacked data was offered for sale. See report here.
Honorable Mention: HBO
Hackers obtained 1.5 terabytes of data from the computers of HBO. The hackers claimed to have released then-upcoming episodes of Ballers and Room 104. The hackers also claimed to have released a script from a then-upcoming episode of Game of Thrones. No ransom was demanded. See report here.
August 2017 – 90 Cyberattacks Tabulated
Winner: Misconfigured Spambot
User data was leaked with respect to 700 million web users worldwide on many and various worldwide internet platforms. See report here. The misconfigured spambot essentially left the door open to anyone that knew the door was there and who wanted to download the data. It is unknown how many times the data was taken. Data leaked was email addresses, passwords and lesser amounts of personal contact information associated with the email addresses.
September 2017 (Through 9/15/17) – 41 Cyberattacks
143 million customers of the credit reporting service had their personal and financial information stolen. The hack occurred over several weeks in May and June 2017 and was disclosed in late July. Since the first reports, Equifax has reported an additional 2 million customers were affected by the hack. See here. The Equifax data breach has subjected Equifax to government investigation.
Take Steps to Protect Your Business From Cyber Security Breaches
Most data security breaches are the result of an oversight somewhere in the system. Companies large and small are being hacked due to vulnerabilities in their computer systems that are identified and exploited by hackers. Companies need to follow cyber security best practices to protect themselves and their customers’ personal information. They need to give cyber security the time and resources necessary to rebuff cyber attacks and to neutralized cyber threats or face growing liability and higher fines.
Since the area of cybersecurity is constantly changing and evolving, cybersecurity needs to be regularly evaluated to determine whether particular security measures are effectively addressing threats and risks. Only through diligent and consistent efforts can business rise to the challenge posed by hackers invading their computer systems.
Contact Revision Legal
Cyber security breaches are a real threat, whether it is to your business, the institution that you work for, or to your own personal computer system and devices. When you are hacked, or information that was entrusted to you was potentially accessed in a data security breach, you need to act quickly to understand your rights and obligations concerning notification of potential victims. You should retain the assistance of an experienced cyber security attorney like the professionals at Revision Legal. Contact us today using the form on this page or by calling us at 855-473-8474.
Photo Credit to Flickr user Jim Kaskade.
Editors note: this was originally published in December, 2016. It has been updated for clarity and comprehensiveness.