In addition, more than half of data breaches resulted in the exposure of Social Security numbers, thus putting people at increased risk of identity theft, the not-for-profit organization says in its 2016 breach report, sponsored by CyberScout.
Overall, 72 percent of breached records were exposed due to hacking, skimming or spear-phishing attacks, according to the report. The greatest number of organizations that reported they'd been breached were in the business sector, representing 45 percent of all breached organizations; followed by healthcare and the medical industry at 35 percent; education at 9 percent and the financial services sector at 5 percent.
Data Breach Incidents by Type of Occurrence
The ITRC amasses those details from states' attorney general offices - 12 now publicly post breach notifications sent to their residents - as well as via Freedom of Information Act requests.
"For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available," according to Eva Velasquez, president and CEO of the ITRC.
But it's not clear whether the increase in breaches is due to more state agencies publicly sharing information, more organizations discovering breaches than before or if the total number of data breaches actually is increasing - or some combination of all three.
Breaches: A History of Unknown Unknowns
Reporting on data breaches must involve the analytical technique known as the Johari window, popularized in 2002 by Donald Rumsfeld, then the U.S. secretary of defense:
- Known knowns: In 2016, according to ITRC, there were 1,093 reported U.S. data breaches, leading to the exposure of 36.6 million records.
- Known unknowns: The number of records that were exposed in 51 percent of those reported breaches either wasn't known or wasn't reported, ITRC reports.
- Unknown unknowns: How many other breaches might have occurred and how bad might they have been?
That last question remains crucial. Many times, record-setting breaches are of a size and severity that's never been seen before, or may have used previously unseen attack techniques.
Here are five pertinent examples:
- TJX: The theft from TJX and Heartland Payment Systems of 40 million and 130 million payment card details, respectively, in the early 2000s.
- Aurora: The high-profile attack against Google in 2009 known as Operation Aurora, ascribed to a Chinese counterespionage operation that targeted US government wiretap information.
- OPM: The 2015 U.S. Office of Personnel Management breach resulted in the loss of personal information for 21.5 million individuals, including biometric data, and was also blamed on China.
- Yahoo: The search giant in 2016 discovered the full extent of two different historical mega-breaches, one involving the compromise of 1 billion records, while another resulted in 500 million records being exposed.
- DNC: The U.S. intelligence community has blamed Russia for attempting to interfere in the 2016 U.S. presidential elections by hacking and leaking documents from the Democratic National Committee and others.
What record-breaking breaches simply haven't yet come to light?
Europe Preps for Mandatory Breach Notifications
Breach awareness is arguably highest in the United States, thanks to the patchwork of state regulations that require individuals to be notified when their personal data may have been exposed.
By contrast, in Europe, the extent of the data breach problem remains unknown. But the 2016 General Data Protection Regulation, due to be enforced beginning in May 2018, will institute mandatory breach notifications for any organization that suffers a breach that may have exposed personal data for individuals in the EU. Many security experts expect GDPR to dramatically alter privacy and breach-related discussions in Europe, once the true scale and severity of the breach problem begins to become known.