Data Breach QuickView Report

Data Breach Trends – Year End 2017

Produced By: Risk Based Security, Inc

Sponsored By: Risk Placement Services, Inc
Not Just Security, the Right Issued: January 2018
Security.
2017: A New “Worst Year On Record” With Over
5,200 Breaches Exposing 7.8 Billion Records

• There were 5,207 breaches reported through the end of

2017, exposing approximately 7.89 billion records.
• Compared to 2016, the number of reported breaches is
up 24.1% and the number of exposed records is up 24.3%.
• The 5 largest breaches of 2017 exposed approximately
5.7 billion records or 72.2% of all records exposed.
• The Business sector accounted for 39.4% of reported
breaches, followed by Medical (8.1%), Government (7.2%),
and Education (5.3%). Data leaks from organizations that
could not be identified accounted for 40% of confirmed
breaches.
• The Business sector accounted for 83.9% of the total
records exposed, followed by Unknown (12.3%) and
Government (3.7%). Medical and Education sectors
combined continue to account for less than 1% of the total
records exposed this year. When compared to the above, it
is clear that, while the source of the data cannot always be
confirmed, the overwhelming volume of data compromised
originates from the general Business sector.
• Following prior quarters’ trends, Web (inadvertent online
disclosure) was the leading cause of records compromised in
2017, accounting for 68.7% of exposed records, but only 5%
of reported breaches.
• The leading cause of breaches for the year was Hacking
(unauthorized intrusion), accounting for 55.8% of incidents.
The percentage of records exposed due to Hacking was
29.8%, or 2.3 Billion records.
• The number of breaches in 2017 confirmed to have
exposed one million or more records was 89, bringing the
10- year total for such “mega” breaches to 344.
• 2017 finished with 8 breaches on the Top 20 List of All
Time Largest Breaches.

1 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
 Table of Contents

2017 YEAR END COMPARED TO THE PREVIOUS FOUR YEARS .............................................................. 3

2017 YEAR END BY INDUSTRY, BY MONTH ...................................................................................... 3
2017 YEAR END BREACHES BY TYPE, BY RECORD .............................................................................. 4
2017 YEAR END BREACHES BY THREAT VECTOR, BY RECORD .............................................................. 5
2017 YEAR END ANALYSIS BY DATA FAMILY..................................................................................... 6
2017 YEAR END CONFIDENTIALITY IMPACT ...................................................................................... 6
2017 YEAR END ANALYSIS OF RECORDS COMPROMISED PER BREACH .................................................. 8
2017 YEAR END AVERAGE NUMBER 0F RECORDS EXPOSED FOR TOP 5 BREACH TYPES ........................... 8
DISTRIBUTION OF BUSINESS GROUPS WITHIN TOP 3 ECONOMIC SECTORS............................................. 9
2017 YEAR END ANALYSIS BY LOCATION ......................................................................................... 9
2017 YEAR END BREACHES BY COUNTRY ....................................................................................... 10
2017 YEAR END EXPOSED RECORDS BY COUNTRY ........................................................................... 10
2017 YEAR END DISTRIBUTION OF BREACHES BY STATE ................................................................... 11
2017 YEAR END ANALYSIS OF US STATE RANKINGS, EXPOSED RECORDS ............................................ 11
2017 YEAR END BREACHES IMPACTING THIRD PARTY ORGANIZATIONS .............................................. 12
2017 YEAR END BREACH SEVERITY SCORES BY DATE REPORTED ....................................................... 13
2017 YEAR END TOP 10 BREACHES BY SEVERITY SCORE .................................................................. 13
TOP 20 LARGEST BREACHES ALL TIME (BY EXPOSED RECORDS COUNT) .............................................. 14
METHODOLOGY & TERMS ........................................................................................................... 17

2 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Compared to the Previous Four Years

Number of Incidents by Year Number of Records Exposed by

6,000 Year (in millions)
5,207 9,000
5,000 7,899
8,000
4,344 4,195
4,000 7,000 6,358
3,281 6,000
3,000 2,615 5,000
4,000
2,000
3,000
2,000
1,000 1,106 1,111 823
1,000
- -
2013 2014 2015 2016 2017 2013 2014 2015 2016 2017

2017 Year End by Industry, by Month

Distribution of Incidents by Industry, by Month

700
600
500
400
300
200
100
0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Business Government Medical Education Unknown

Distribution of Exposed Records by Industry, by Month

100.0%
80.0%
60.0%
40.0%
20.0%
0.0%
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Business Government Medical Education Unknown

3 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breaches by Type, by Record

Top 5 Breach Types

0 2,000 4,000

Hacking 2,905

Hacking (unauthorized intrusion

Skimming 571 into systems or networks) is
continuously the leading source of
Phishing 314 data breaches. However, 2017 saw
the lowest percentage of records
Virus 301 exposed by hackers since 2008,
when 45.5% of exposed records
Web 258 were the result of hacking.

Records Exposed by Breach Type

Web 68.8%

Hacking 29.8%
Unintentional exposure of
sensitive date via the Internet
reached staggering heights in
Stolen Computer 0.7%
2017, with 5.4 Billion records
exposed due to inadvertent
Undisclosed 0.6% publication, misconfigured
services and leaky portals.
Stolen Laptop 0.0%

4 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breaches by Threat Vector, By Record
Number of Incidents
by Threat Vector

Outside 4280
The interplay between how
Inside-Accidental 403
the majority of breaches are
Inside-Unknown 191 happening (hacking) and how
the majority of sensitive data
Unknown 169 is exposed (web) is evident
Inside-Malicious 164
when looking at breach
events triggered by outsiders
- 1,000 2,000 3,000 4,000 5,000
versus insiders. Once again,
the vast majority of breaches
Threat Vector Records Exposed originate outside of the
Inside-Accidental 3,079,361,872 organization but insider
Outside 2,738,517,484
Inside-Unknown 2,020,878,036
actions expose data at a rate
Unknown 59,590,961 of nearly 2 to 1 compared to
Inside-Malicious 1,646,259 outsider activity.
Total 7,899,994,612

2017 Year End Distribution of Breaches by Discovery Method

Internal Internal External External Undisclosed Undisclosed

Discovery - Discovery - Discovery - Discovery - Discovery - Discovery -
Incidents Records Incidents Records Incidents Records

Q1 228 66,231,034 804 3,364,751,513 405 18,567,691

Q2 243 3,058,963 352 493,066,473 355 2,098,842,627

Q3 148 4,199,892 1,059 871,093,918 302 177,243,402

Q4 109 31,834,586 961 708,907,553 241 61,090,105

Total 728 105,324,475 3,176 5,437,819,457 1,303 2,355,743,825

5 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End 10 Largest Breaches With Data Types and Severity Scores1

Records Percentage of Data Type2 Severity

Breach Type Exposed Total Exposed Score
Web 2,000,000,000 32% ADD/NAA/NUM 10
Web 1,374,159,612 22% ADD/EMA/FIN/MISC/NAA 10
Hack 1,221,893,767 19% EMA/PWD 10
Web 711,000,000 11% EMA/MISC/PWD 9.63
Web 404,293,959 5% ACC/DOB/EMA/MISC/NAA/NUM 9.69
Web 267,693,854 4% EMA/NUM 9.80
Web 198,000,000 3% ADD/DOB/MISC/NAA/NUM 10
Hack 145,500,000 2% ADD/CCN/DOB/MISC/NAA/SSN/UNK 10
Web 135,000,000 2% ADD/FIN/MISC/NAA/NUM/SSN 9.68
Hack 129,696,449 2% EMA/PWD 9.71
The 10 largest breaches in 2017 exposed 6,587,237,641 records, or 83.4%
of the total records exposed in 2017.

2017 Year End Analysis by Data Family

Percentage of Total Percentage of Total Percentage of Total Percentage of Total

Breaches Exposed Records Breaches Exposed Records
Data Family 2016 2016 2017 2017
Electronic 91.30% 99.99% 93.46% 99.98%
Physical 5.95% <1% 4.36% <1%
Unknown 2.75% <1% 2.17% <1%

2017 Year End Confidentiality Impact

Confidentality Impact
Unknown
4% Losing control of sensitive data is not
Potential
13% synonymous with unauthorized
access to the data. In 2017, 83% of
breaches resulted in confirmed
Confirmed
unauthorized access to data. This is
83% unchanged from Q3.

1 See page 13 for additional detail on these incidents.

2 See page 17 for a description of abbreviations.
6 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breach Analysis by Data Type

Incidents by Data Type Exposed

Email Address 49.0%
Password 44.6%
Name 29.5%
Physical Address 20.1%
Social Security Number 16.9%
Credit Card Number 16.0%
Miscellaneous 14.1%
Unknown 13.9%
Financial Account Details 11.0%
Date of Birth 9.8%
Username 9.8%
Phone Number 8.5%
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%

Percentage of Breaches Exposing Top Four Data Types - 2017 vs. Prior Years
Data Type 2017 2016 2015
Email Address 49.0% 42.4% 44.8%
Password 44.6% 37.9% 48.5%
Name 29.5% 35.3% 30.0%
Physical
20.1% 20.4% 13.7%
Address

As 2017 came to a close, access credentials in the form of email address and password
combinations remained a prime target for data theft. This has been a consistent theme since 2012.
It is tempting to attribute the trend to malicious actors seeking a simple pathway into networks.
After all, it is easier – and stealthier - to gain access using legitimate keys to the front door rather
than breaking in through a side window. However, only 2.6% of breaches reported in 2017 were
traced back to the use of stolen credentials.

7 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Analysis of Records Compromised Per Breach

Number of Percent of
Exposed Records Breaches Total
Unknown/Undisclosed 1742 33.5%
1 to 100 1639 31.5% Despite more breaches – and
101 to 1,000 904 17.4% more large breaches – taking
1,001 to 10,000 528 10.1% place in 2017, nearly 60% of
10,001 to 100,000 225 4.3%
100,001 to 500,000 60 1.2% incidents exposed between 1 and
500,001 to 999,999 20 0.4% 10,000 records.
1 M to 10 M 55 1.1%
> 10 M 34 0.7%

2017 Year End Average Number 0f Records Exposed For Top 5 Breach Types

Average Percent of
Number of Number of Records
Breach Category Records per Total Records
Breaches Exposed
Breach Exposed
Hacking 2905 2,353,543,662* 810,170 29.79%
Skimming 571 7,040 12 0.00%
Phishing 314 807,093 2,570 0.01%
Virus/Malware 301 3,094,052 10,279 0.04%
Web 258 5,427,649,803 21,037,402 68.70%
*Data updates resulted in a lower record count compared to prior quarter report.

2017 Year End Analysis of Incidents by NAICS Economic Sector

Distribution of Incidents by Economic Sector

45.0% 40.0%
40.0%
35.0%
30.0%
25.0%
20.0%
15.0%
6.5% 8.6% 7.6% 8.5% 6.7%
10.0% 4.9% 5.4%
1.6% 3.3%
5.0% 0.2% 0.2% 0.2% 0.6% 1.1% 0.6% 0.2% 1.0% 0.7% 0.8% 1.2%
0.0%

8 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
Distribution of Business Groups Within Top 3 Economic Sectors

Percentage of Breaches
Economic Sector Business Group Within Economic Sector
Software / Web Services 79.3%
Information* (51) Mass Media 12.4%
Telecommunications 8.3%
Hospitals 34.4%
HealthCare (62) Practitioners’ Offices 32.4%
Non-Hospital Facilities 27.2%

Finance 80.6%
Finance & Insurance* (52)
Insurance 19.4%
*Note, the Information and Finance & Insurance sectors are made of three and two Business Groups respectively. As such, the entire
sector is represented.

2017 Year End Analysis by Location

Incidents by Location Records Exposed by Location

USA 44.7% Other 64.08%

Unknown 38.6% USA 29.33%

Other 16.7% Unknown 6.59%

Breach reporting obligations in the United States have long contributed to the
information available for breach analysis. On May 25, 2018, the EU will begin
enforcing the General Data Protection Regulation (GDPR), including the requirement
for mandatory breach notification to both individuals and regulatory authorities. This
change should lead to greater discloser of events throughout the EU.

9 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breaches by Country

Incidents by Country - Top 10

United States
United Kingdom 184 2,330
Canada 116 While the United States
India 78
is the largest
Australia 62
Brazil 31 contributor to breach
China 27 activity, the median
Russia 23 number of records lost
Ukraine 22
in the U.S. was
Indonesia 21
relatively low, at 1,458.

2017 Year End Exposed Records by Country

Number Average Median

Total Exposed Percentage of
Ranking of Country Records per Records
Records Exposed Records
Breaches Breach Exposed
1 27 China 3,822,021,911 141,556,367 11,748,417 52.01%
2 2330 United States 2,317,065,126 994,449 1,458 31.53%
3 16 Netherlands 711,794,171 44,487,136 4,021 9.69%
4 78 India 301,422,538 3,864,392 216 4.10%
5 11 South Africa 67,023,831 6,093,076 6,700,000 0.91%
6 3 Philippines 55,245,020 13,811,255 - 0.75%
7 6 Argentina 28,741,292 4,790,215 2,516 0.39%
8 12 Republic of Korea 17,372,292 1,447,691 1,000,000 0.24%
9 11 Israel 14,001,285 1,272,844 131 0.19%
10 1 Bermuda 13,400,000 13,400,000 - 0.18%

Three large breaches, including exposure of data belonging to Email Car, NetEase and DU Caller, drove
the high record count for China. These three breaches also contributed significantly to the total number
of records exposed in 2107.

10 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Distribution of Breaches By State

Incidents by US State -
Top 10
CA 241
FL 172
TX 170
NY 144
PA 100
OH 83 With the exception of
IL 77 Maryland, the number
VA 72
MA 61 of breaches per state
NJ 57 closely aligns with the
ten most populous
states.

2017 Year End Analysis of US State Rankings , Exposed Records

Exposed Percentage of
US Total Exposed Number of Exposed
Records Records Exposed in
State Records Breaches Records/Breach
Ranking USA
1 WA 1,375,372,393 39 35,265,959 59.36%
2 CA 295,290,220 241 1,225,271 12.74%
3 NJ 33,812,931 57 593,209 1.46%
4 NY 11,261,602 144 78,206 0.49%
5 GA 10,725,010 53 202,358 0.46%
6 MD 6,721,954 55 122,217 0.29%
7 AR 6,611,511 12 550,959 0.29%
8 TX 5,477,243 170 32,219 0.24%
9 CT 3,080,345 33 93,344 0.13%
10 MI 2,541,609 39 65,169 0.11%

11 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breaches Impacting Third Party Organizations

Third Party Breaches by Steward Organization

Business Type

7% 6%
11%

Medical
26%
Government
Business
Unknown
Education

50%

• Steward Organizations – defined as the party responsible for protecting the data at the
time of the breach – classified in the business sector account for 50% of the breaches
with a direct impact on other organizations.
• 28.9% of the breaches impacted more than one third party organization and 7.6%
impacted more than three organizations.

Third Party Breaches by Breach Type - Top 10

80 70
70
60 47
50
40
30
20 14 13 12 11 9 8 7 6
10
0

12 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
2017 Year End Breach Severity Scores By Date Reported

Number of Incidents in Category Breach Severity Scores by Quarter

700
600
500
400
300
200
100
0
9.0 - 10.0 8.0 - 8.99 7.0 - 7.99 6.0 - 6.99 5.0 - 5.99 4.0 - 4.99 3.0 - 3.99 2.0 - 2.99 1.0 - 1.99 <1
1Q2017 12 14 30 88 326 594 258 65 46 4
2Q2017 6 7 18 48 286 354 168 38 20 5
3Q2017 5 5 13 47 203 353 410 439 25 9
4Q2017 7 6 9 30 245 262 446 262 34 10

Breach severity scores are based on a number of factors including number and type of records
lost, how the breach occurred, and the presence of follow on actions such as lawsuits or
regulatory investigations. An increase in the number of breaches scoring 3 or below in Q3 and
Q4 is a bright spot in an otherwise troubling year. Breaches exposing fewer records coupled
with less critical data types compromised combined to produce more breaches with lower
severity scores.

.
2017 Year End Top 10 Breaches By Severity Score

Score Reported Organization Top 10 Summary

(Hacking) 57,000,000 customer names, email addresses, and phone
Uber
10 Q4 numbers, as well as 600,000 driver names and license numbers accessed
Technologies
by two hackers that later received hush money to cover up the breach
Public Cellular (Hacking) 54,000,000 customer details ranging from name, address and
10 Q4 Blockbuster phone numbers to national identification numbers, dates of birth,
Service location and demographic details taken by hackers sometime in 2014
(Hacking) 145,500,000 names, dates of birth, Social Security numbers and
10 Q3 Equifax other confidential information compromised by exploiting unpatched
vulnerability in Apache Struts (CVE-2017-5638)

DU Group dba (Web) 2,000,000,000 user phone numbers, names and addresses
10 Q2
DU Caller inappropriately made accessible in an uncensored public directory

(Web) Approximately 198,000,000 voter names, addresses, dates of birth,

Deep Root
10 Q2 phone numbers, political party affiliations, and other demographic
Analytics
information exposed in an unsecured Amazon S3 bucket

13 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
Score Reported Organization Top 10 Summary

NetEase, Inc. (Hacking) 1,221,893,767 email addresses and passwords stolen by hackers
10 Q1
dba 163.com and sold on the Dark Web by DoubleFlag

(Web) 1,374,159,612 names, addresses, IP addresses, and email

River City addresses, as well as an undisclosed number of financial documents, chat
10 Q1
Media, LLC
logs, and backups exposed by faulty rsync backup

(Hacking) 77,000,000 user email addresses, usernames, and bcrypt

9.96 Q2 Edmodo
hashed passwords with salts stolen by hackers through undisclosed means

(Web) 267,693,854 email addresses and phone numbers exposed in an

9.80 Q1 EmailCar
unsecure MongoDB installation and later dumped on the Internet

Tencent (Hacking) 129,696,449 email addresses and passwords stolen by hackers

9.71 Q1 Holdings Ltd
and sold on the Dark Web by DoubleFlag
dba QQ.com
National (Web) Roughly 135,000,000 Aadhaar numbers and 100,000,000 linked
Social bank account numbers, as well as names, caste, religion, addresses, phone
9.68 Q2 Assistance
numbers, photographs, and assorted financial details leaked on
Programme
(India) government web portals

Top 20 Largest Breaches All Time (By Exposed Records Count)

Reported Records Industry- Breach

Summary Organization
Date Exposed Sector Location
Highest All Recent revelations around the
Time 2013 intrusion into Yahoo’s Business -
3 Billion Yahoo United States
12/14/2016 systems moves this event back Technology
into the top spot
User phone numbers, names
Number 2 DU Caller
and addresses inappropriately Business -
5/13/2017 2 Billion Group (DU China
made accessible in an Technology
Caller)
uncensored public directory
Names, addresses, IP addresses,
and email addresses, as well as
Number 3
an undisclosed number of River City Business -
3/3/2017 1.3 Billion United States
financial documents, chat logs, Media, LLC Technology
and backups, exposed by faulty
rsync backup.
A database holding email
Number 4
addresses and passwords stolen NetEase, Inc. Business –
1/25/2017 1.2 Billion China
by hackers and offered for sale dba 163.com Technology
on the dark web.

14 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
Reported Records Industry- Breach
Summary Organization
Date Exposed Sector Location

Email addresses, passwords, and

SMTP credentials exposed on
Number 4
the Internet due to a 711 Million Unknown Unknown Netherlands
8/29/2017
misconfigured spambot
database
Hack exposes user names, email
Number 5 addresses, phone numbers,
Business - United
9/22/2016 dates of birth, hashed passwords 500 Million Yahoo
Technology States
and security questions and
associated answers.
Hackers exploit a Local File
Inclusion vulnerability,
compromising member email
Number 6 FriendFinder Business - United
addresses, usernames, and 412 Million
10/18/2016 Networks, Inc Technology States
encrypted passwords, IP
addresses and membership
statuses.
Misconfigured MongoDB
Number 7 exposes over 400 million names, Business -
404 Million Ai.type Israel
12/5/2017 phone numbers, email addresses Technology
and other customer information
Hack exposes user account
Number 8 records containing SHA1 Business - United
360 Million MySpace
5/27/2016 encrypted passwords, email Technology States
addresses.
Email addresses and phone
numbers were exposed in an
Number 9 Business -
unsecure MongoDB installation, 267 Million EmailCar China
1/1/2017 Technology
which was later downloaded and
dumped on the Internet
Hack of websites exposes Organization’s
Number 10
names, registration numbers, 220 Million Name has not Unknown South Korea
8/22/2014
usernames and passwords. been reported

Hackers offer for sale a database Organization’s

Number 11
containing a variety of personal 203 Million Name has not Unknown Unknown
12/3/2016
and financial details. been reported

Fraudulent account used to gain

Number 12 access to credit card numbers, Court United
200 Million Business - Data
10/19/2013 social security numbers, names, Ventures, Inc. States
and financial account numbers.
Unsecured Amazon S3 bucket
exposes voter names, addresses,
Number 13 Deep Root Business / United
dates of birth, contact 198 Million
6/19/2017 Analytics Business States
information and voter
preferences.

15 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
Reported Records Industry- Breach
Summary Organization
Date Exposed Sector Location

Misconfigured database exposes

voter names, dates of birth, Organization’s
Number 14 United
addresses, phone numbers, 191 Million Name has not Unknown
12/28/2015 States
political party affiliations, and been reported
genders.
Number 15 Hack exposes trip details of NYC Taxi &
Government - United
6/21/2014 customers after cracking MD5 173 Million Limousine
City States
hashes Commission

Organization’s
Number 16 Hack exposes USA voter United
154 Million Name has not Unknown
6/23/2016 information. States
been reported
Hack exposed customer names,
IDs, encrypted passwords and
Number 17 debit/ credit card numbers with Adobe Business - United
152 Million
10/3/2013 expiration dates, source code Systems, Inc. Technology States
and other customer order
information.
Shanghai
Number 18 Firm may have illegally bought Roadway D&B
150 Million Business - Data China
3/17/2012 and sold customers' information. Marketing
Services Co.
Hackers take advantages of
Struts Shock vulnerability to
Number 19 compromise names, dates of 145.5 United
Equifax Business – Data
9/7/2017 birth, Social Security numbers, Million States
addresses, and other personal
information.
Hack exposes names, encrypted
Number 20 passwords, email addresses, Business - United
145 Million eBay, Inc.
5/21/2014 registered addresses, phone Retail States
numbers and dates of birth.

16 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
Methodology & Terms
Risk Based Security’s research methods include automated processes coupled with traditional human research and
analysis. Our proprietary applications crawl the Internet 24x7 to capture and aggregate potential data breaches for
our researchers to analyze. In addition, the research team manually verifies news feeds, blogs, and other sources
looking for new data breaches as well as new information on previously disclosed incidents. The database also
includes information obtained through Freedom of Information Act (FOIA) requests, seeking breach notification
documentation from various state and federal agencies in the United States. The research team extends our
heartfelt thanks to the individuals and agencies that assist with fulfilling our requests for information.

Data Standards and the use of “Unknown”

In order for any data point to be associated with a breach entry, Risk Based Security requires a high degree of
confidence in the accuracy of the information reported as well as the ability to reference a public source for the
information. In short, the research team does not guess at the facts. For this reason the term “Unknown” is used
when the item cannot be verified in accordance with our data validation requirements. This can occur when the
breached organization cannot be identified but leaked data is confirmed to be valid or when the breached
organization is unwilling or unable to provide sufficient clarity to the data point.

Breach Types are defined as follows:

Name Description
Disposal Computer Discovery of computers not disposed of properly
Disposal Document Discovery of documents not disposed of properly
Disposal Drive Discovery of disk drives not disposed of properly
Disposal Mobile Discovery of mobile devices not disposed of properly
Disposal Tape Discovery of backup tapes not disposed of properly
Email Email communication exposed to unintended third party
Fax Fax communication exposed to unintended third party
Fraud SE Fraud or scam (usually insider-related), social engineering
Hack Computer-based intrusion
Lost Computer Lost computer (unspecified type in media reports)
Lost Document Discovery of documents not disposed of properly, not stolen
Lost Drive Lost data drive (unspecified if IDE, SCSI, thumb drive, etc.)
Lost Laptop Lost laptop (generally specified as a laptop in media reports)
Lost Media Media (e.g. disks) reported to have been lost by a third party
Lost Mobile Lost mobile phone or device such as tablets, etc.
Lost Tape Lost backup tapes
Missing Document Missing document, unknown or disputed whether lost or stolen
Missing Drive Missing drive, unknown or disputed whether lost or stolen
Missing Laptop Missing laptop, unknown or disputed whether lost or stolen
Missing Media Missing media, unknown or disputed whether lost or stolen
Other Miscellaneous breach type arising primarily from data mishandling
Phishing Masquerading as a trusted entity in an electronic communication to obtain data
Seizure Forcible taking of property by a government law enforcement official
Skimming Using electronic devices (such as a skimmer) to swipe victims’ credit/debit card numbers
Snail Mail Personal information in "snail mail" exposed to unintended third party
Snooping Exceeding intended privileges and accessing data for unauthorized purposes
Stolen Computer Stolen desktop (or unspecified computer type in media reports)
Stolen Document Documents either reported or known to have been stolen by a third party
Stolen Drive Stolen data drive, unspecified if IDE, SCSI, thumb drive, etc.
Stolen Laptop Stolen Laptop (generally specified as a laptop in media reports)
Stolen Media Media generally reported or known to have been stolen by a third party

17 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
 Name Description
Stolen Mobile Stolen mobile phone or device such as tablets, etc.
Stolen Tape Stolen backup tapes
Unknown Unknown or unreported breach type
Virus (Malware) Exposure to personal information via virus or Trojan (possibly classified as hack)
Web Web-based intrusion, data exposed to the public via search engines, public pages

Data Type Definitions

Abbreviation Description
CCN Credit Card Numbers
SSN Social Security Numbers (or Non-US Equivalent)
NAA Names
EMA Email Addresses
MISC Miscellaneous
MED Medical
ACC Account Information
DOB Date of Birth
FIN Financial Information
UNK Unknown / Undisclosed
PWD Passwords
ADD Addresses
USR User Name
NUM Phone Number
IP Intellectual Property

NO WARRANTY.

Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy,
completeness or that it includes all the latest data breaches. The information contained in this report is general in
nature and should not be used to address specific security issues. Opinions and conclusions presented reflect
judgment at the time of publication and are subject to change without notice. Any use of the information contained
in this report is solely at the risk of the user. Risk Based Security, Inc. assumes no responsibility for errors, omissions,
or damages resulting from the use of or reliance on the information herein. If you have specific security concerns
please contact Risk Based Security, Inc. for more detailed data loss analysis and security consulting services.

18 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.
About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Scores and
Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations with
access to the most comprehensive threat intelligence knowledge bases available, including advanced search
capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a
timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high
quality security and information risk management resources in one, easy to use web portal.

Cyber Risk Analytics (CRA) provides actionable security ratings and threat intelligence on a wide variety of
organizations. This enables organizations to reduce exposure to the threats most likely to impact them and
their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics
driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood
of a future data breach. The integration of PreBreach ratings into security processes, vendor management
programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk
assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to
proactively protect its most critical information assets.

For more information, please visit:

https://www.riskbasedsecurity.com/
Or call 855-RBS- RISK.

About Risk Placement Services

Risk Placement Services, Inc. (RPS), one of the nation’s largest intermediaries, offers valuable solutions in
wholesale brokerage, binding authority, programs and standard lines. Headquartered in Rolling Meadows,
Illinois, RPS has more than 80 branch office and satellite locations, creating a coast-to-coast network of offices
with retailer needs in mind. RPS places well over $3.1 billion in premium annually, demonstrating the
company’s strength and market presence. RPS leverages local knowledge, regional expertise and national
relationships to deliver winning proposals to each retail broker partner and provide knowledge-based coverage
solutions for each situation.

The RPS Executive Lines division specializes in protecting individuals and their companies against a wide range
of executive risks and other professional liabilities. Market-leading specialists in public, private, and nonprofit
Directors & Officers (D&O), Errors & Omissions (E&O), Fiduciary, Crime, and Kidnap & Ransom insurance
products, RPS Executive Lines provides total management insurance solutions via 100 different insurance
markets. Additionally, they help clients pinpoint hidden exposures to loss and fortify them against
vulnerabilities, ultimately improving their risk profile.

For additional information please email ExecutiveLines@RPSins.com.

19 | Data Breach Intelligence Copyright © 2018 Risk Based Security, Inc. All rights reserved.