Online Privacy & Security: Data Breaches

With the data breaches of LinkedIn (2016) and Adobe (2013), more than 300 million email addresses and passwords were exposed on the web. Since people often use the same password on multiple sites, this poses a great security risk for many.

This page dives into breached data that was posted for sale on dark markets, and shows information on data breaches through the years. 

Dataset and notes

Sources

  • Have I been pwned?, a database of breaches maintained by Troy Hunt, Microsoft Regional Director and MVP of Developer Security

  • The multi-year report of the Identity Theft Center

Main findings

  • Hundreds of millions of usernames, passwords and other information get exposed each year. This exposes people to identity theft, monetary theft and extortion, especially those who use the same password on multiple sites.

  • The business sector is consistently targeted, with over 1500 reported in the last 6 years. The number of breaches seem to increase each year.However, the growth in breaches in the Health/Medical sector is extraordinarily steep in the past 3 years. 


2016 saw 352 million exposed accounts

In May 2016, 164 million email addresses and passwords from LinkedIn were exposed. This hack dated back to 2012, but only became public when offered for sale on a dark web merchant site 4 years later.

This was the largest of many hacks in 2016, which saw 352 million exposed accounts.





What kind of information gets exposed?

Data from a breach that gets exposed usually contains more than one kind of information. Email addresses are in almost every breach, because it is used as the primary identifier for accounts. These addresses can also be sold to spammers. Passwords are of course very popular as well. Not only can people access the account in question with the password, they can also try to log in to other (possibly more sensitive) sites, since a lot of people reuse their passwords. 

Hackers who want to make the most are usually after so called 'fullz', which stands for a full set of someone's personal information, like identification number, address, birthdate. An analysis by GQ searching the dark markets found that the median price for someone’s identity was $21.35.


Breaches per sector

The ID Theft Resource Center (ITRC) compiles a list of data breaches (so also where records aren't exposed to the public, but merely lost).

Each breach listed by the ITRC was "confirmed by various media sources and/or notification lists from state governmental agencies". The number of records per breach can vary between a couple of hundred to a couple of millions. 

Here is an overview of the breaches by year and by sector.

  • Overall, the ID Theft Resource Center is recording a trend upwards in the number of breaches per year: from some 500 in 2009 to close to 800 in 2014 and 2015. 

  • The business sector is consistently targeted, with over 1500 reported in the last 6 years. The number of breaches seem to increase each year.

  • However, the growth in breaches in the Health/Medical sector is extraordinarily steep in the past 3 years. 

  • From the different sectors reported on, the Banking/Credit/Finance sector seems either the least targeted or the most adept at protecting its systems. 

Number of reported breaches per year per sector

This data is from ID Theft Center and lists data breaches confirmed by media or government sources. It includes breaches where no information was exposed to the public.

Number of recorded records compromised during the data breaches

This data is from ID Theft Center and lists the number of records reported compromised during the data breaches. Detailed numbers of records per sector were only available for the years 2014 and 2015. Note that this number of records is not exhaustive since not all reports on data breaches included the number of records.

While the ITRC attempts to identify the number of records involved with each data breach, this information is not always listed in the sources they used. In general, only around half of the data breach reports include information about the number of records involved. The annual ITRC data breach reports for 2014 and 2015 included a quantification of the number of records compromised during the data breaches per sector: a total of 85 million (2014) and 178 million (2015) records could be counted.

However, since for those years only 63% and 49% of data breach reports respectively included the number of records, the available numbers might only be the tip of the iceberg. Considering the Health/Medical sector alone saw 121 million records compromised in 2015 and realising this is only the number that we know of makes it even more worrisome. 

Breached organizations, sorted by number of records exposed