According to an annual report by the Identity Theft Resource Center, the number of U.S. data breaches tracked in 2018 decreased from last year’s all-time high of 1,632 breaches by 23 percent (or 1,244 breaches), but the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 records this past year.
Another critical finding was the number of non-sensitive records compromised, not included in the above totals, an additional 1.68 billion exposed records, said The 2018 End-of-Year Data Breach Report. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers use the same username/email and password combinations across multiple platforms creating serious vulnerability.
“The increased exposure of sensitive consumer data is serious,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Never has there been more information out there putting consumers in harm’s way. ITRC continues to help victims and consumers by providing guidance on the best ways to navigate the dangers of identity theft to which these exposures give rise.”
Colin Bastable, CEO of cybersecurity test and training company, Lucy Security, told Security magazine: "Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are. By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk. By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blind-sided: you reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised. Many business cloud applications use APIs to integrate with corporate email and other systems – each connection multiplies our risks of loss from being hacked."
He added: "Using email addresses as usernames is to be avoided whenever possible. Organizations don’t do this to help consumers, but to reduce the support burden and lost business from forgotten usernames. Convenience is a double-edged sword – if it's easy for you, it's easier to attack you. Last, from an organizational perspective, the technologies already exist to protect data. We have encryption, tokenization, MFA, anti-malware software, firewalls and so on, but attacks keep succeeding at increasing rates. Therefore, we can conclude that cybersecurity technology is never going to solve this problem. In February 2020, reports will show that 2019 was another stellar growth year for hackers. Businesses, Consumers, Governments, Militaries, NGOs and Politicians will all be hacked this year as never before: your job is to make sure that you, your family and your organization are not one of them. If you don’t have to hold consumer data – don’t. Train your people relentlessly, and run "what-if?" scenarios for the 20% of them who will click on a phishing link. Test systems and people in a holistic model, and let someone else be the victim."