The number of publicly known data breaches decreased last year compared to 2017, despite harsher breach notification rules going into effect in Europe. The number of compromised sensitive records also went down by more than a third, from 7.9 billion records to around 5 billion.

[ How much does a data breach cost? Here's where the money goes. | Get the latest from CSO by signing up for our newsletters. ]

According to a new report from security intelligence vendor Risk Based Security (RBS), over 6,500 incidents that resulted in compromised data have been publicly disclosed last year, two-thirds of them originating in the business sector. The government sector accounted for 13.9 percent, the medical sector for 13.4 percent and education for 6.5 percent.

The data collected and analyzed by RBS shows that very large breaches continue to occur and, in fact, have the biggest impact on people's privacy. Last year, there were 12 breaches where 100 million or more sensitive records were exposed and together those breaches accounted for 74 percent of all records exposed in 2018.

The largest breach by far was one that involved people India's national ID database, known as the Aadhaar. That incident was reported in March 2018 and exposed the national ID numbers, addresses, phone numbers, email addresses, postal codes, and photographs of almost 1.2 billion Indian citizens.

Other large breaches included hackers gaining access to 383 million loyalty program records stored in Marriott's Starwood guest reservation database and to 240 million guest records from Huazhu Hotel Group.

Some breaches were not the result of hackers exploiting security vulnerabilities, but of security oversights that made data openly accessible on the web. This was the case with marketing firm Exactis, which exposed the personal details of 230 million adults and 110 million business contacts due to a misconfigured database.

Another common cause for breaches is fraud or social engineering, where company insiders intentionally or accidentally share data with unauthorized third parties. The incident where political consulting firm Cambridge Analytica obtained data from 87 million Facebook user profiles through a third-party application falls into this category.

Hacking still biggest breach cause

According to RBS's analysis, hacking was the most common cause of data breaches last year being directly responsible for 4,508 incidents. This was followed by skimming (453), Web-related leaks (268), phishing (177) and malware (160).

However, when looking at the number of exposed records per breach type, the web category leads with 39 percent followed by hacking with 28 percent, fraud with 25 percent and data mishandling with 7 percent.

"Prior to 2017, hacking was the most common breach type and the top contributor to the number of exposed records," the RBS analysts said in their report. "That trend began changing in 2017 with web taking over—and remaining in—the top spot."

The majority of breaches (5,433) were the result of external threat vectors, 925 of internal ones—both malicious and accidental—and 157 had unknown causes. That said, breaches that had internal factors, such as misconfigured services and other data handling mistakes, exposed far more records than hackers managed to steal: 2.6 billion compared to 1.7 billion.

The average number of days between data breach discovery and reporting was 49.6, a slight increase compared to 2017. This should be worrying to businesses, considering that the General Data Protection Regulation (GDPR) that went into effect in Europe last year requires breaches to be reported to regulators within 72 hours of discovery.

However, it's worth noting that the 72-hour window is only for reporting to regulators, not the public. Companies only have an obligation to inform affected individuals if there is a high risk of harm. Since RBS's report is based on an analysis of publicly disclosed breaches, that might be the reason why the GDPR had little effect on the observed average reporting timeframe.

For 2019, RBS plans to look deeper into the correlation between how breaches are discovered—externally or internally—and the time it takes organizations to disclose those breaches. "It seems likely organizations that are better able to uncover breaches would also be better prepared to respond," the company said.