Yahoo, Others Make 2016 a Record Year for Data Breaches, Report Finds

Documented data breaches exposed almost 4.3 billion records, far more than previous years, although the total number of breaches held steady, according to a report published by Risk Based Security.

Record Data Breaches 2

The reported breaches at Yahoo exposed approximately 1.5 billion records, which along with a handful of other immense breaches, made 2016 a record year for data loss, according to a report released by security firm Risk Based Security on Jan. 25.

The report collected and sifted through 4,149 confirmed breach reports from a variety of sources, finding that at least 4.2 billion records were potentially compromised in 2016, up from approximately 1.0 billion in 2013, the previous record.

While the total number of reported data breaches held steady over the past few years, the average breach was more severe—and exposed more records—than previous years, Inga Goddijn, executive vice president at Risk Based Security, told eWEEK.

“We have been tracking breach activity since 2005, and the number of breaches this year was not really higher or lower than prior years, but the severity was off the charts,” she said.

The data seems to show that the average data breach involved between 101 and 1,000 records in 2016, at least an order of magnitude greater than the 1 to 100 records in 2015. In addition, the number of breaches involving more than 1 million records has climbed steadily to 94 incidents in 2016, up from 60 incidents in 2015 and 34 incidents in 2013.

The most significant impact on breach numbers, however, came from the compromise of Internet giant Yahoo, which acknowledged two intrusions in 2016, one involving 500 million records that was reported in September and another involving 1 billion records but reported in December. The breach reported in September likely occurred in 2014, while the latter breach likely happened in 2013, according to the firm. The size of the breaches stunned security experts and threatened to derail the proposed buyout of Yahoo by Verizon.

The search company was not the only one to discover more than one breach in the same year. At least 122 other companies reported two or more breaches in 2016, according to Risk Based Security.

“When there was a major breach, it really kicked these security teams into high gear, resulting in some pretty intensive internal investigations, and we did see subsequent second and third breaches being reported, because of that investigation,” Goddijn said. “Yahoo is the classic example.”

The top-10 breaches—including breaches at FriendFinder and MySpace in addition to Yahoo—accounted for about 3 billion of the year’s compromised records, without which 2016 would have resembled most other years.

Email addresses, passwords and names were the most often exposed pieces of information. Hacking accounted for nearly 93 percent of all records exposed in breaches, with Web misconfigurations and leaks accounting for another 6 percent.

Some industries suffered more than others, with business services, retail and technology sectors accounting for 30 percent of all breaches. The industries impacted by another 24 percent of breaches were not known.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...