Data breach disclosures drop in 2020, report says

The report, “Trends in Cybersecurity Breach Disclosures,” was released last week and analyzes public company disclosures of cyber-breaches since 2011. According to the report, the 117 breaches that were disclosed in 2020 represents a 19 percent drop from 2019 (144). Still, it is the third highest figure in a single year, behind 2019 and 2018 (130). The number had gone up each year since a dip to 50 in 2015.

“It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed,” Audit Analytics said.

The report also found that, since 2011, 42 percent of cyber-security incidents disclosed have not specified the type of attack used to penetrate the company’s systems. In 2020, 10 percent of breach disclosures did not specify the type of breach, down from 16 percent in 2019 and 29 percent in 2018.

“This could be a sign that more entities are choosing to disclose more detailed information or could reflect that information technology security systems are becoming better adept at detecting and identifying nuanced cyber threats,” Audit Analytics stated.

Among those who did specify the type of attack, malware and unauthorized access accounted for 70 percent of total breaches in 2020—a dramatic uptick from 2019. The massive SolarWinds hack alone contributed significantly to the increase.

Most vulnerable data: The Audit Analytics report alerts companies to what general financial and personal information hackers often seek. The most common types of personal information compromised in 2020 were names (53 percent of breaches), addresses (29 percent), and Social Security numbers (28 percent).

Breach discovery time: In 2020, it took 44 days, on average, to discover a breach, with a median of 16 days. On a positive note, this is the “fastest discovery window in the last five years, suggesting that firms’ cyber-security controls are becoming better equipped to discover breaches,” Audit Analytics said. “Data breaches that are not discovered quickly raise red flags about internal controls, as insufficient cyber-security controls can inhibit timely detection of issues.”

Breach disclosure time: In 2020, it took 53 days, on average, to disclose a breach after discovery, with a median of 37 days. “This average disclosure timeframe is less than the overall average of 67 days [since 2011] but is the third highest average in the last five years,” Audit Analytics said.

The organization noted a cyber-security breach should, at a minimum, trigger an assessment of what controls might have contributed to the breach and result in a subsequent disclosure with the Securities and Exchange Commission (SEC). However, since 2011, only 4 percent of overall cyber-security breaches were discussed in the context of controls in SEC filings, according to the report.

Cyber-breach costs: The costliest cyber-security breaches aren’t necessarily those that result in the largest loss of records as much as the type of data stolen.

Companies that lose financial data or Social Security numbers face costlier remediation processes, particularly for consumer credit-monitoring services and follow-on litigation. For example, the Yahoo data breach in December 2016 resulted in the largest loss of data—three billion records—but did not make the list of costliest breaches.

According to Audit Analytics, the five costliest data breaches go to:

• Facebook: September 2018 unauthorized access breach, resulting in $5.1 billion in costs.
• Equifax: September 2017 unauthorized access breach, $1.7 billion.
• Merck: June 2017 malware attack, $330 million.
• Home Depot: September 2014 malware attack, $298 million.
• Target: December 2013 malware attack, $292 million.

Sector-by-sector: In 2020, the sectors hardest hit by data breaches were technology (22 percent), communication services (17 percent), and consumer cyclical and healthcare (each with 14 percent). Both consumer cyclical and financial services saw decreases in breach activity in 2019 and 2020, according to the report, while breaches affecting communication services have steadily increased over the last five years.