What Breach? The Details You Need From The 2017 North Carolina Security Breach Report

More than 1,000 data breaches were reported to the North Carolina Department of Justice in 2017. Since 2005—when North Carolina law began requiring businesses, state governments and local governments to report security breaches—there have been nearly 5,000 breaches reported. And those breaches, have impacted more than 14 million residents that call North Carolina home.

What Breach? The Details You Need From The 2017 North Carolina Security Breach Report

The reality is that the 1,000 breaches reported doesn’t represent the sum of breaches that happened in 2017. Why? Because many businesses don’t know they are required to report breaches. Some businesses are unsure of how to report a breach. And then there are many businesses who avoid reporting altogether because of fear of negative press or other external repercussions. The trends in the 2017 breaches, as reported by the North Carolina Security Breach report, are alarming but they represent information you need to know to safeguard your business.

Hacking breaches account for 50 percent of all 2017 N.C. data breaches.

In 2017, N.C. DOJ received more than 500 reports of hacking. That hacking total represents a 3,500 percent increase since 2006, which now represents more than half of all data breaches. The hacking breach, by law, is defined as an individual who finds a weakness in a computer system, exploits that weakness and gains unauthorized access to electronically stored information.

Phishing scams made up 24 percent of all 2017 breaches, up from 1.76 percent in 2015.

Phishing scammers steal credentials or personal information by sending emails or texts that appear to come from legitimate sources. We’ve seen this kind of breach impact large institutions of business, target employee W-2s and make their attacks under the guise of CEO email addresses. The recent phishing scams prove there’s nothing that’s off limits.

This type of social engineering—which is on the rise—is the most common type of attack. An email that appears to come from your bank asking you to reset your password, yet then directs you to a fake website asking for your current login and password—thus giving criminals your login identification—is a prime example of a phishing scam.

While the significant increase in 2017 phishing scams is alarming, the jump may have been influenced by the new classifications made for data breaches. Either way, the 248 reported breaches in 2017 is likely not reflective of all the 2017 phishing breaches that took place. Many who have been impacted by this kind of breach are hesitant to report the scam because of embarrassment or because they are still unaware that they voluntarily released personal information.

The data breaches by industry might surprise you.

Healthcare gets a huge amount of attention when it comes to data security. That attention comes from the long-standing HIPAA guidelines and the awareness of personal health information as a target to gain names, social security numbers and other important data. But according to this year’s study, the healthcare industry wasn’t the number one target.

  • General business made up 52 percent of 2017 breaches.
  • Financial services and insurance made up 26 percent of 2017 breaches.
  • Healthcare represented only 11 percent of 2017 breaches.

The figures are interesting, to say the least. Wondering why healthcare percentages are so low? The drop may likely be a reflection of the industries early start on cyber security awareness and protection.

What can you do to protect your business and yourself?

Take it seriously and put preventative measures in place.

There is no room any longer for cyber security to be an afterthought. States now requiring notification of breaches Hackers are seeking softer targets in general areas of business. Those changes are proof that more must be done to protect our organizations and educate our employees.

New legislation was recently introduced here in N.C. to toughen reporting requirements and to reclassify ransomware as a ‘breach’ and thus requiring notification. More on that in my next blog. You can read more about this proposed legislation in my post Act To Strengthen Identity Theft Protections.