BLOG HOME > Cybersecurity > Security Trends: Data Breach Statistics from 2018 and Predictions for 2019

Security Trends: Data Breach Statistics from 2018 and Predictions for 2019

By: David Ellis
VP, Investigations

How did our 2018 data breach predictions turn out?

Get Started with PCI Compliance

Start Here

Maury Haber, CEO of Beyond Trust said, “There are three jobs in this world where you can be completely wrong all of the time and still not worry about being fired. One is a parent, one is a weather forecaster, and the other is a technology trends forecaster.”  

So, how did last year’s predictions turn out?

Prediction: “E-commerce breaches will continue to increase in 2018.” The reason behind that prediction was the fact that the U.S. was just getting into EMV technology, and we assumed that as it became more difficult for attackers to steal reproducible physical credit card information, they would shift their attention to e-commerce. 

True? Yes; 80% of payment-card-related investigations we did last year were of e-commerce data breaches. Interestingly, this was almost the complete inversion of about 4 years ago, when around 80% of our payment-card-related investigations were for point-of-sale merchants.

Prediction: “Smaller merchant breaches will come under greater scrutiny.” This prediction stemmed from the industry’s change some years ago when the card brands softened their mandates to not overly burden small merchants with the high costs of a full forensic investigation. Prior to that change, virtually every merchant that was suspected of having a data breach was required to have a forensic investigation, but the high costs of the investigation coupled with the potential of fines from the card brands and credit card issuing banks forced   some small merchant out of business.

DOWNLOAD: 2019 Data Breach Analysis Infographic

In response, the card brands established thresholds for card accounts at risk that needed to be exceeded before they would require a PCI forensic investigation.  What resulted is that small merchant breaches sometimes do not make it on the radar and can linger, losing credit card account data for longer periods. In other cases, they might be advised that there is a suspected data breach, but they do not always self-investigate and remediate the problems as they should.  The result is that some of the breaches of small merchants persist until a sufficient number of credit card accounts are stolen (a much larger problem than if it would have been addressed when it was first noticed) and so the pendulum may be heading back the other direction.

True? Yes; we seeing a trend of smaller merchants not self-remediating the way they should, so now card brands and acquiring banks are requiring more proof that the merchants performed a data breach investigation.

Forensic Webinar: What Happened in 2018 & Predictions for 2019

Watch Here

Prediction: Coordinated personal cyber attacks that start with cell phones. 

True? Not yet. I believe attacks against individuals are going to pick up steam.  In 2018 we saw one significant case that started with the breach of a cell--that migrated to the spouse’s cell phone--then to the owner’s laptop--from there to his company, and resulted in the theft of employee W-2 information and the diversion of payments from patients to the attacker.  While this case illustrates the problem I was predicting, we did not see the significant increase in cell-phone based attacks that we predicted.

Prediction: Passwords won’t be the security you’re looking for. Password cracking technology will come so far that passwords are basically meaningless.

True? Yes and no. Password cracking technology has continued to increase, and has reached the point where, in the hands of a capable hacker with ample resources, virtually no password is safe.  But, for now, the required resources to crack exceptionally complex passwords are still too onerous for most hackers.  Practices like multi-factor authentication (an authorization token, an emailed or texted code, biometric data, etc.) are helping to fortify password security. If you practice good password security tips and enable multi-factor authentication, passwords can still provide protection for your accounts.

What are our data breach predictions for 2019? 

  1. We predict large-scale social-media-based hacks that lead to to massive data losses. For example, many people play games through their social media accounts. Related to some of these games are offers for the user to receive “unlimited coins” and “unlimited lives” via a third-party site. In exchange for these coins and lives, you are asked to download apps from the provider. Often, the provider will state that the purpose of requiring the app download is that it “proves you’re not a robot” or it “helps keep the offerings free.” I installed some of these games and app downloads into a sandbox environment and found they were actually VPNs–giving the providers a backdoor into the user’s device. With kids and adults regularly downloading these games and apps to devices, I predict a social media/game hack is going to lead to a massive data breach.

  2. Biometric data will be compromised. Information like fingerprints and other biometric scans needs to be stored somewhere. If it can be stored, it can be stolen. Just as there are large repositories of stolen username/password combinations available for sale on the dark web, I believe that stolen biometric data will follow as well.

  3. A major cloud storage provider will be seriously breached. With so many businesses and individuals uploading massive amounts of data to the cloud, it’s only a matter of time before hackers figure out a way to get to it.

  4. Foreign nation-states will increase recruitment of corporate insiders to steal insider secrets. 

  5. I’ll continue to hold on to two predictions from last year: First, that AI technology would make significant inroads into both hacking and security. We didn’t see that prediction come true to the level we expected, but we think this prediction will manifest 2019. The same goes for our passwords prediction. We believe advances in technology will eventually make passwords irrelevant as a true security measure. 

Hacking trends

How do hackers use stolen data? 

Hackers might use stolen credit card data to make their own personal online purchases. They may also sell payment or personal information on the dark web for anywhere from $2 to $200 per record. 

Interestingly, healthcare data is worth much more than credit card data. That’s because the personal information found in healthcare files can be used to create a social security card or to fake an entire identity. 

In the ransomware realm, hackers might sell their methods, including steps and an easy-to-use blueprint–on top of the possibility of a monetary ransom.

Last year’s attacks were more targeted than ever. 

Hackers are willing to do their homework and go after a specific organization because they know the added work will make the payday larger. We are seeing that attackers will perform social engineering attacks and study everything they can about a business so they can craft legitimate looking emails–with the hope of landing a bigger payday in the end. 

Ransomware trends

In 2017 ransomware was the most prevalent attack–especially in the healthcare environment, where nearly 60% of attacks involved ransomware. In 2018, there was a 30% decrease in total ransomware attacks, moving it to the sixth most popular attack method. The fifth spot was taken by crypto mining, which has also fallen in popularity. 

But even though the amount of ransomware attacks decreased, we did see that the individual attacks were more sophisticated. Successful attacks showed increased scrutiny in targeting their victims. The victims were most often healthcare organizations, followed by businesses, and then the public sector (city or state governments.) Attackers recognize that these types of entities can’t afford to be inoperable for very long and they have the ability to pay a high ransom in the short term. 

Businesses like Allscripts, Labcorps, and Boeing were examples of successfully attacked entities last year. The cities of Atlanta and Baltimore also experienced ransomware attacks. The ransomware used in these cases was sophisticated and usually polymorphic (which means it changed slightly each time it was uploaded, in order to evade discovery). According to Sophos, 75% of organizations infected with ransomware were running up-to-date endpoint protection at the time. 

Why does ransomware continue to hang on? Although many organizations are refusing to pay, some still pay sums reaching into the tens of thousands (and more). So, this is a trend not likely to go away anytime soon. 

Big increase in service provider attacks

Service providers include point-of-sale (POS) terminal providers, payment application providers, credit card processors, and industry application vendors. 

Successful attacks against service providers actually doubled from 2017 to 2018. These attacks are particularly dangerous because the potential impact reaches numerous other businesses. In one case, a credit card processor self-discovered a breach soon after it happened, but in the short time the service provider was breached, about 150 of their merchant clients were also breached.

In another case, an industry application vendor that provides a web interface for a specialized type of business that allowed customers to place orders suffered a breach that resulted in malware infection of over 450 separate merchants. 

These are the types of specialized attacks that criminals are specifically targeting and willing to put extra time and effort into, because they know the payoff will be worth it. 

Do I Need a Penetration Test?

Request a Quote

An example of a service provider attack where things went “right”

We investigated an attack on a POS hardware and software provider. In this case, an employee’s credentials were stolen and the attacker then monitored the service provider’s systems for the remote access he needed to log in to the entire client database. As soon as the attacker was in, they downloaded malware to capture credit card information. 

About 250 businesses in the service provider’s portfolio were affected. Luckily, most of these businesses were already using point-to-point encryption (P2PE) technology. Our tests validated that all of the merchants with P2PE solutions did not suffer any data loss. It was only the few without P2PE technology that lost customers’ credit card data. 

This case emphasized the importance and value of using P2PE in an electronic payment environment. 

Top Organizational Vulnerabilities 

Employees: all it takes is one click on a phishing email or malicious link in an infected website to download malware inside a protected environment, or one minute to give a social engineering cyber criminal the login credentials for your business. 

Insecure coding: experienced hackers know what they’re looking for. These hackers can exploit coding mistakes that will open up an entire organization. 

BYOD procedures: the problem with “bring your own device” (BYOD) is that if you work in a highly secure environment, but you take your device home and log in to a less-secure WiFi, and unknowingly visit a malicious site that downloads malware to your laptop or tablet, then go to work and log into the corporate environment, that malware is now within your network. 

BYOD-related compromise is a common, repeating scenario. We are going to see companies start to lock down on personal device use in the near future–with a need for increased training and oversight.

Insecure remote access: hackers continue to breach organizations through insecure remote access. One of the easiest and most effective defenses against such an attack is to enable multi-factor authentication. 

Non-compliance and data breach trends


Key points of failure:

  • No firewall in place

  • Firewall not properly configured (most common)

  • Outbound rules are important: in one investigation, we read through multiple pages of firewall rules.  Well into the rule sets we found the rule, “allow any to any,” which effectively rendered the other rules irrelevant.


Key points of failure:

  • Keeping default passwords, which are commonly known and searchable online. All hackers have to know is the brand of hardware or software to find default passwords. 

  • Using non complex passwords. Simple passwords are discoverable using password cracking software. Passwords should be lengthy and not found in any dictionary. 


Key points of failure:

  • No antivirus installed

  • Software and programs not up to date

  • Software not installed at all endpoints (e.g. only on back office server)

Secure access

Key points of failure:

  • Not uniquely identifying users (shared login)

  • Weak authentication passwords and loose password security

  • Lack of MFA (multi-factor authentication)

Don’t let compliance get in the way of security

Many times, your focus is understandably on compliance. You may be dealing with the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA). There are times when security and compliance can collide a bit, if your focus is too much on one or the other. 

This concept was manifested in the investigation of a large merchant in the hospitality industry with 900+ locations. Because of their size, they were required to have an annual PCI compliance audit by a qualified QSA. When the QSA arrived, the merchant told them that, because they now had a P2PE solution, their scope was reduced to the solely the card data environment. 

The QSA explained that while that was technically true, it’s not good to only assess the card data environment and ignore the surrounding corporate environment. But, the merchant was adamant that the QSA only audit the card data environment.

Later, the merchant suffered a ransomware breach via their corporate network. Their business operations were frozen.  Even though they had backups in place, they had never tested to see how easily they could restore from the backups--which took three days. While no customer credit card data was stolen, the breach cost them hundreds of thousands of dollars in lost revenue

Current HIPAA attack trends

There seems to be an unending stream of breaches at healthcare organizations. Healthcare organizations often have legacy systems that aren’t regularly updated, which is not always their fault since they are often embedded systems and updating them isn’t easy. In some cases, if the healthcare IT department were to do so, it might cause problems with how a third party vendor could support them. 

The critical nature of the services provided in the healthcare industry puts it in the sites of attackers.

Healthcare is an essential commodity, which makes it a valuable commodity in the criminal world. 

With respect to ransomware, attackers bank on hospitals feeling that they’ll put lives at risk if they can’t access information, so they are more likely to pay the ransom. 

There is also a high value to protected health information–hackers can sell or escalate this kind of personal information for high value.

Get my free SecurityMetrics PCI Guide

Download Now

Data Breach prevention tips

1. Social engineering

  • Employees are seldom very far removed from attacks. One of the increases we saw last year was that in around 40% of healthcare data breaches, insider involvement was suspected.

  • Most often, employee involvement is omission or lack of understanding security policies and procedures. For example, employees regularly fall for phishing or social engineering attacks.

  • You need to train your staff to recognize social engineering. Teach them to challenge people and ask for credentials.

  • Phone calls can come after hours, criminals masquerade as custodians or representatives from a telecom company, IT service provider, application provider, etc. 

In one case, someone posed as a service provider for a credit card point-of-sale terminal and called 28 franchise locations. He attempted to persuade onsite managers to inadvertently open  a VPN for him so he could install malware. 

In all, 20 of the 28 managers asked for further credentials. The bad news is that 8 did not. 

2. Updates and patches 

Timely patching of vulnerabilities can reduce data breaches. We still investigate breaches caused by failure to patch vulnerabilities that were addressed over two years ago.

3. Vulnerability scans and penetration tests. Follow best practices and/or your applicable mandate requirements regarding scans and penetration testing. Schedule vulnerability scans regularly and after significant network changes. Penetration tests should be performed yearly and after significant network changes. 

4. Configure and review logs

The most important steps of log management are monitoring and review. In a recent investigation, a customer with more than 800 locations had been breached for more than 9 months and lost more than one million customer credit cards. As we investigated we saw that they had file integrity monitoring (FIM) and intrusion detection systems (IDS) that flagged the breach on the very first day it happened–but no one in their organization was watching. 

If you have IDS or FIM, make sure that someone has the specific responsibility to review any generated alerts. 

5. Passwords/account credentials

As mentioned earlier, the technology for breaking passwords has increased in sophistication exponentially. Currently, hackers are brute-forcing password hashes. Right now, there’s a highly technical (and very expensive) system in Sweden that can search billions of password hashes per second.  The result is that it can potentially discover every possible combination of keyboard characters for any password, in a matter of hours.

Hackers may not be using this technology right now, but do your best to avoid the growing ability to crack passwords. Passwords should be complex, and a minimum of 10 characters long. They should contain disparate characters, letters and numbers (and I prefer a lot of, &_{+#^@\>?* characters) and should not have any words from any dictionary. You can visit to see if any of your passwords have been captured in a data breach and published. 

6. Access

All users need to have unique usernames and passwords, and access to sensitive data should be restricted to only those employees who need access to complete their jobs. Logins and passwords should not be shared. 

Employees should not use remote access applications on insecure networks. Multi-factor authentication will help prevent hackers from gaining access.

7. Implement network segmentation

Isolate networks with different security levels. Use multiple firewalls to create a safezone for your most sensitive data. 

8.If you have to store sensitive data, encrypt it. 

Make sure to encrypt your backups (not with same key as regular data), then test your backups to see if you can restore your system from them. You might find that it is not as simple as it sounds, so such a delay should be factored into your Incident Response Plan. 

9. Incident response plan

Train your employees on your Incident Response Plan, and hold mock-breach incident response tests often (at least annually).  This is an opportunity to test your ability to respond to a breach while none of your critical assets are actually at risk.  Following the tests, modify and re-train your personnel according to what you learned from the mock exercise.

Data breach statistics from 2018

  • The average organization was vulnerable* for 275 days
  • Cardholder data was captured** for an average of 127 days
  • Cardholder data was exfiltrated*** for an average of 127 days
  • 50% of organizations were breached through remote execution/injection
  • 33% of organizations were breached internally (i.e., employee assisted).
  • 17% of organizations were breached through phishing emails.
  • 57% of organizations had firewalls in place at time of compromise.

*Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.

**Captured: The time that data is being recorded, gathered, or stored from an unauthorized source.

***Exfiltrated: The unauthorized transfer of data from a system.

David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. 

Join Thousands of Security Professionals and Subscribe