Data Breach Update & Highlights Month of September 2018

Data Breaches by Type

Hacking was the primary type of breach incident, representing 46 percent of the overall number of breaches identified in September, up 11 percent from August figures. Phishing was the most popular form of hacking for September, representing 50 percent of the total breaches caused by hacking while ransomware/malware represented 15 percent of breaches categorized as hacking. 

Unauthorized Access was identified as the second most common type of attack at 30 percent of the overall total of breaches in September, experiencing a decline of 12 percent from last month.

Accidental Exposure was the third most common method of breach – 12 percent, down two percent from August, and breaches exposed through

Employee Error/Negligence/Improper Disposal/Lost ranked fourth; accounting for seven percent of the most common method of breach and up one percent from the previous month. If you find this information useful, please consider donating to the ITRC, a registered 501(c)(3)nonprofit organization, to help keep our services free to the public.

September Data Breaches by Industry

The Business sector topped the list as the industry facing the most breaches in September for the fourth consecutive month at 44 percent of the overall number of breaches, dropping seven percent from August. With a 16 percent increase compared to August, the Medical/Healthcare sector was the second highest impacted industry affected by 39 percent of the overall number of breaches identified in September. The Government/Military sector, representing nine percent of the total breaches and ranked third, down 3 percent from August. The Educational sector experienced five percent of total breaches, down five percent from August; and the Banking/Credit/Financial sector was impacted the least this month with three percent of total breaches.Although the Government/Military sector represented only five out of the 57 total breaches for September, it had the highest exposure rate of sensitive PII at 14 million records exposed.

The Business sector had the most amount of total breaches; however, it came in second for highest amount of non-sensitive PII exposed at 380,000.Hacking affected all sectors as the most common method of breach in September, impacting 100 percent of the breaches in the Banking/Credit/Financial industry, 56 percent of breaches in the Business sector, 36 percent of breaches in the Medical/Healthcare sector, 33 percent of breaches in the Education sector, and 20 percent of breaches in the Government/Military sector.

September Company Breach Highlights Social Media giant Facebook was hit by a breach affecting 50 million accounts this month. Hackers were able to steal access tokens, which are used to keep users logged into their accounts so they do not need to re-enter their password each time the app is used. The access tokens granted the hackers access to users’ profiles exposing their name, date of birth, email address, phone number and other information posted on the user’s profile. Facebook discovered the breach on September 25th and notified users on September 28th. Facebook reset all 50 million exposed account’s access tokens along with another 40 million as a precaution.

Online textbook rental company, Chegg, experienced a data breach affecting 40 million people. Hackers stole usernames, email/shipping addresses, and hashed passwords from the company’s customer database. Chegg learned of the breach on September 19th and began notifying customers on September 27th.

Government Payment Service Inc. (GovPayNow.com), a company that manages online payments for U.S. government agencies, exposed 14 million records including: names, addresses, phone numbers and the last four digits of payees’ credit cards.