Vendor Risk Management

Data Breach Statistics: 7 Of The Most Reputable Sources For Good Data

Melissa Stevens | December 7, 2016

Understanding the consequences of cyberattacks and the importance of putting cybersecurity measures in place is more important today than ever before. Therefore, the need for data-driven breach statistics and facts from the cybersecurity field is critical.

“Yes” or “no” questions won’t help you better understand your vendors’ (or your own) cybersecurity posture—but actionable metrics will.

Below, we’ll highlight seven reputable sources for solid cybersecurity data. This list is by no means exhaustive—but the sources listed are an excellent place to start your search. The information you find will help you better express the criticality of cybersecurity within your own organization.

Sources Of Analysis

The following three sources are summaries of aggregated data breach statistics that have been pulled together in report form about breaches in a particular region, industry, or as a whole.. These reports are the result of the research from industry experts who have studied the field for years (or even decades) and are filled with high-level analysis and actionable data.

1. Verizon’s Data Breach Investigations Report (DBIR)

If there’s one data breach statistic report that industry insiders look out for every year, it’s Verizon’s DBIR. Verizon gathers their information from a variety of public and private sources in the security and law enforcement arenas. The 2016 DBIR sparked a healthy discussion within the security community concerning research methodology, but still remains a solid source for data breach information.

“Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.”

Source: 2016 Data Breach Investigations Report | Verizon

2. The California Data Breach Report

California Attorney General Kamala Harris is on the forefront of policing and examining cybersecurity, and this source demonstrates the amount of attention that her office has paid to cyber crime. In February 2016, the attorney general’s office released a report of breaches in the state of California since 2012. Because California requires companies to report when they experience any information loss (including the information of both employees and consumers), there is a great deal of interesting information analyzed in this report.

If you skip to the “Findings” section, there some great visualizations of the state data (for example, you can look at how the mean and median breach sizes have changed year by year). We believe this serves as an excellent example for how other states should follow suit and provide exploratory analysis for their citizens.

“While the total number of breaches did not increase in the past year, the total number of Californians affected rose dramatically from 4.3 million in 2014 to over 24 million in 2015.”

Source: California Data Breach Report | State Of California Department Of Justice, Office Of The Attorney General

3. BitSight’s Research & Insights

Today, BitSight offers 13 industry reports that cover various cybersecurity topics, from fourth-party network security to the criticality of botnets. In the latest BitSight Insight report, we explored the rise of ransomware, how the rate of ransomware attacks have grown, the industries most susceptible to infections, and potential methods for mitigation. Our dedicated team of data scientists are consistently looking into industry trends and publishing new reports—so be sure to check back quarterly.

“Ransomware infections in education and government have more than tripled over the past 12 months.”

Source: The Rising Face Of Cyber Crime: Ransomware | BitSight

Incident-Level Reports

Incident-level reports go straight to the source of the information. These are primary sources with unadulterated information and unbiased facts. For example, if you wanted to get the details about a particular large data breach and see how it impacted the companies that used the breached party as a vendor, you could do so through these incident-level reports.

4. State Incident Reports

With the exception of Alabama, New Mexico, and South Dakota, all states in the U.S. have a mandatory data breach reporting statute whereby if a company experiences any data loss, they are required to report it to a particular agency or individual within their state. But only a handful of states then publish that information on their website for public consumption. At BitSight, we’re largely in favor of this information being easily accessible, as it helps protect consumers and keeps them informed when their data may be at risk. Here are a few state agencies with a public interface:

If your state doesn’t provide this type of information and you want to see it, make your voice heard. Tell your state officials that you would like to see this data, and work proactively toward this goal. In the meantime, consumers and organizations who want more information about potential information compromise can request it using the Freedom of Information Act (FOIA) process.

5. The Identity Theft Resource Center

The Identity Theft Resource Center is a nonprofit organization “established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cyber security, scams/fraud and privacy issues.” It offers write-ups of breach information that are presented in clear, easy-to-browse formats. Its search functionality allows individuals to filter data by company size, industry, and more.

6. Privacy Rights Clearinghouse

Privacy Rights Clearinghouse has been around since 1992 and focuses on helping people “protect their privacy by providing direct one-to-one assistance, creating original educational publications, and advocating for consumer-friendly policy.” Privacy Rights Clearinghouse has recorded over 5,000 public data breaches gathered since 2005. You can sort through these records based on year, organization type, or type of breach.

Visual Report

7. Information Is Beautiful’s Data Breach Infographic

This dynamic bubble chart allows you to visualize breaches in a very different way. There are a number of filters—from type of organization, to year of the leak, to method of the leak—that will help you glean the information you’re looking for. In the future, we’d love to see more reputable sources creating these visual reports and infographics. Cybersecurity is a serious topic, but presenting it in a visually appealing way will engage a broader audience. Not everyone will read a 75-page cybersecurity analysis, but they may be interested in seeing how breaches stack up to one another in regard to record count.

Making Data Breach Statistics Actionable: Your Next Step

Having constant access to reputable data breach sources is critical—but ensuring your organization doesn’t become one of the data breach statistics you read about is a different ball game entirely. Cybersecurity is rapidly changing and so are the best practices therein. If you want to get a better idea of the three main ways your organization may experience a cybersecurity incident and a sample of metrics you can put in place to mediate risk, download the free guide below.

Download Guide: 12

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.

READ MORE »

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Subscribe to get security news and updates in your inbox.