Top 8 Industries Reporting Data Breaches In The First Half Of 2019

The exposure of user records is one of the most detrimental outcomes from modern cyber-attacks. At Cyber Security Hub, we report these data breaches in our Incident Of The Week.

During the first half of 2019, more than 1,400 data breaches were publicly disclosed. Risk Based Security reported a summary of the attacks in its 2019 MidYear Data Breach QuickView Report.

In analyzing the data, eight economic sectors stood out for having the most reported breaches. However, some industries are obligated by regulation to report data breaches while others are not. It is a reasonable assumption that underreporting of data mismanagement occurs in the non-regulated industry sectors. With more data privacy regulation coming, a greater number of disclosures will also be made.

Here are the top eight industries reporting data breaches in the first half of 2019, including:

• Healthcare
• Retail
• Finance and insurance
• Public administration
• Information
• Professional/scientific
• Education
• Manufacturing

Let us take a detailed look at each of these industries.

8. Manufacturing

   The manufacturing industry has been an air-gapped environment from the rest of the business and the outside world, if for no other reason than the paranoia that company information could fall into the wrong hands. Now, often dragged kicking and screaming into the connected world of enterprise IT, manufacturing organizations are being exposed to the efficiencies (such as workflow enhancements and improved data analysis) and the side-effects of attacks on the organization.

   See Related: Incident Of The Week: Malware Attack Disrupts Hoya Factory Operations

7. Education

   Imagine if all of your enterprise became nomads outside of your physical perimeter, seeking access to applications, data, and services from anywhere at any time. This is very much the situation that the education market faces. Higher education has both students and staff introducing a multitude of devices on campus and from afar that defy typical baselines for authentication and network behavior.

   School districts face more and more attacks as they grow the number of endpoints that must be managed and deliver more services. Ransomware is an increasing threat for schools due to the amount of personally-identifiable information (PII) contained in their systems.

   See Related: Higher Education Information Security Council (SEISC) Data Breach Resources at EDUCAUSE

6. Professional/Scientific

   Capturing customer data or gleaming business strategies are examples of attack objectives for the professional and scientific sector. Access to product development plans and sensitive company data appeals to intelligence gathering by nation states.

   New attack vectors are observed where specific organization roles are targeted. Instead of phishing campaigns to find privileged access credentials, attackers are leveraging professional networks and connected home devices to infiltrate the knowledge workers.

   See Related: Incident Of The Week: Passwords And Biometrics Info For One Million Users Exposed In Biostar 2 Data Breach

5. Information

   As more and more data is collected, stored and analyzed, the need to secure data is essential. On-premise servers have given way to public, private and hybrid cloud strategies. Massive data sets are a lucrative target for attackers looking to grow their collection or leave a digital ransom note to recover purged databases.

   The scope and scale of data is making the job of the security team infinitely more complex. A progressive strategy for InfoSec is to build relationships with more of the organization’s stakeholders, such as Risk, Audit and Privacy. No single enterprise function need take on all of the burden associated with the growth and governance of data.

   See Related: 6 Lessons Learned From The Citrix Breach

4. Public Administration

   Citizens entrust government agencies to delivery services that are both secure and protect PII. When data is exposed, those constituents have no alternative choice to take their business elsewhere. To create a penalty for data mismanagement, governments are starting to impose fines for which their own agencies are not immune to being on the receiving end.

   In our hyper-connected society, information and news travels fast. Incidents occurring in a municipality, such as a city, become headlines internationally and the response plan is literally under public scrutiny on a global stage. The pairing of security fundamentals and adhering to compliance obligations cannot be understated for public entities.

   See Related: Incident Of The Week: Baltimore City Government Hit With “Robbinhood” Ransomware

3. Finance & Insurance

   Companies in the financial services industry were some of the earliest to implement fraud detection as a core element of their workflow. Unfortunately, the banks, lenders and insurance companies have also been the source for some of the largest data breaches to date.

   In both the First American Title and Capital One incidents, the expansion of the security perimeter to include cloud service providers and third-party vendors has been the Achilles’ heel for financial institutions. Creating cyber-accountability and managing this risk is a growing priority for finance as well as other industries.

   See Related: Incident Of The Week: Historic Capital One Hack Reaches 100 Million Customers Affected By Breach

2. Retail

   The combination of legacy “swipe and go” payment card machines and a high volume of transactions have led to the retail sector climbing quickly to the second most-often cited industry disclosing data breaches during the first half of 2019. Skimming and point-of-sale (POS) machine malware have attracted attackers to retailers.

   Skimming is a means to capture payment card data by having a duplicate or fake magnetic stripe reader that is swiped by the user. Skimming attacks often occur at gas stations and bank ATM machines. Attackers create duplicate payment cards and re-use the copies at similar quick-pay locations.

   The use of EMV chip + PIN payment cards and POS machines alleviates the retail situation, though transaction suppliers and slow end-user adoption of the payment cards has prolonged the risk.

   See Related: Incident Of The Week: Millions Of Hy-Vee Customer Payment Cards Appear For Sale Online

1. Health Care

   The HIPAA Breach Notification Rule requires HIPAA-covered entities to provide notification following a breach of unsecured protected health information (PHI).

   A similar breach notification requirement and process for vendors of personal health records and third-party service providers is enforced by the Federal Trade Commission (FTC), pursuant to section 13407 of the HITECH Act.

   Despite the presence of HIPAA, Health Care businesses were the leading industry vertical reporting data breaches during the first half of 2019. The breach notification requirement and process associated with HIPAA and the HITECH Act are also contributors to higher levels of compliance by health care organizations than other industries.

   See Related: Incident Of The Week: Dominion National Finds Evidence Of Data Breach Nearly A Decade Later

Want to learn more about data breaches in specific industry verticals? Read more about this year’s leading security incidents in Cyber Security Hub’s Top 5 Cyber Security Breaches of 2019 So Far.