Online Privacy Is Getting Worse: Data Breaches in 2019 on Track to Top Last Year's Total

In the first three months of 2019, some 1.9 billion records were exposed in 1,903 recorded data breaches. That’s equal to nearly 40% of the 5 billion records exposed in all of 2018 and is about 29% higher than the number of records exposed in the first quarter of last year.

Three of the first quarter’s breaches exposed 100 million or more records, according to the first-quarter data breach report from Risk Based Security. The largest involved the release of nearly a billion names, email addresses and other personally identifiable information from verifications.io, a firm that verifies or approves email addresses for third-party customers. The leaked records were the result of leaving a database unsecured and accessible to just about anyone who wanted a peek. The good news is that no passwords or Social Security numbers were included in the breached data.

The second-largest breach so far in 2019 was the loss of personal data from nearly 203 million job applicants that was exposed as a result of a misconfigured database. The third-largest involved nearly 162 million users of the Dubsmash website when the website was hacked.

Inga Goddijn, executive vice president and head of Cyber Risk Analytics at Risk Based Security said, “Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information and unfortunately, they aren’t terribly difficult to find when you know where to look.”



Risk Based Security tracks how long it takes between the time a breach is discovered and the time it is disclosed. Interestingly, breaches discovered by an organization’s internal sources took an average of 74 days. When the breach was discovered by an external source, the time between discovery and disclosure dropped to an average of 43 days. The median numbers showed an even wider disparity: breaches discovered by an external source were publicly disclosed in eight days while those discovered by internal sources took 43 days to disclose.

While Risk Based Security makes no judgment about those delays, it’s difficult not to conclude that externally discovered breaches are publicized more quickly because the organization that lost the data has no effective control of the external source. When it’s an inside team that discovers the breach, the organization can withhold the information as long as it chooses to.

Of the first quarter’s 1,903 data breaches, 1,615 were the result of hacking incidents. More than 560 million records were exposed in these breaches, representing 29% of all records leaked in the quarter.

Web-based breaches, primarily the result of leaving databases accessible to third parties and failing to protect them, accounted for just 61 breaches but nearly 1.3 million breached records, just over two-thirds of all the records breached in the first quarter.

The country with the second-largest number of breaches is Canada, which saw just 30 leaks in the first quarter. The United States suffered nearly 20% of all first-quarter breaches with 371 incidents. Nearly half a million records were released in those breaches, more than 25% of all global leaked data. California, with 60 breaches, and Texas, with 52, were the states most often hit by data breaches. These are the states with the highest and lowest rates of identity theft per capita.