SAN FRANCISCO — Findings from the ForgeRock Consumer Identity Breach Report reveal that cybercriminals exposed more than 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations. Coupled with the 2.8 billion records that were exposed in 2018, breaches over the last two years have cost U.S. organizations over $1.8 trillion.

Key takeaways from the report include:

  • Breaches have increased dramatically, both in actual numbers and costs.
  • No industry is safe — healthcare was the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45 billion. Technology firms had the highest number of records compromised from breaches, with over 1.37 billion exposed.
  • Unauthorized access was the most common attack vector used in 2019, responsible for 40% of breaches, followed by ransomware and malware at 15%, and phishing at 14%.
  • Identity and access management (IAM) technologies hold the key for protecting businesses and consumers.

“When it comes to data breaches, we’re seeing the biggest cybersecurity problem continues to be an identity problem,” said Eve Maler, CTO, ForgeRock. “The Consumer Identity Breach Report’s findings demonstrate that enterprises need to increase their identity and access management maturity. The secret is democratizing data control so organizations can allow known users to hop onto authentication ‘express lanes’ for a great experience, entrusting them with convenient consent options, and make bad actors jump through extra hoops to help prevent fraud.”

Consistent with the 2018 Consumer Breach Report, personally identifiable information (PII) remained the most targeted data by attackers and was exposed in 98% of 2019 breaches, up from 97% in 2018. By targeting PII and leveraging unauthorized access, cybercriminals highlight how weaknesses in enterprises’ IAM practices increasingly allow for greater volumes and more sensitive types of data to be pilfered. In fact, social security numbers (SSNs) were the most targeted type of data compromised, exposed in 384 breaches in 2019.

Based on first quarter (Q1) data, 2020 is set to outpace 2019 in terms of records breached — there have been 92 data breaches affecting 1.6 billion records in Q1 2020 alone, almost 9% more records than Q1 2019. Health care is still the most breached industry in Q1 2020, accounting for 51% of the incidents, which may be due to attackers targeting strained health care organizations amid the COVID-19 pandemic. However, the most records exposed throughout Q1 2020 have been from social media firms.

Key findings:

  • Following health care, the banking/insurance/financial industry was the second most targeted in 2019, accounting for 12% of all breaches. This is followed by education (7%), government (5%), and retail (5%).
  • SSNs and date of birth details were the most targeted data, accounting for 37% of breached information, yet this is down from 54% in 2018.
  • Name and addresses (18%) and personal health information (17%) were the second and third most breached data types, respectively.
  • Medical records are the most sought-after type of PII in Q1 2020, accounting for 25% of all exposed data.