Dear, privacy pros.

At the end of last year, I made the prediction that data breaches will continue to grab the headlines, with attacks increasing in number and sophistication as data repositories grow larger and more valuable.

In March of this year, we reported on a study conducted by identity intelligence company 4iQ, which found that a total of 14.9 billion records had been exposed in 12,499 breaches in 2018.

According to Risk Based Security’s 2019 MidYear QuickView Data Breach Report, this year is on track to surpass 2018 and may be the “worst year on record” for data breach activity.

In the first half of this year alone, there have been 3,813 publicly reported data breach incidents. While this number seems relatively small, the number of records exposed increased by 52% year-on-year to reach 4.1 billion.

Perhaps reflecting the increasing concentration of data, there were eight major breaches leading to the exposure of more than 100 million records. These eight breaches accounted for 3.2 billion, or 78.6%, of the total number of data records exposed. Further, three of these breaches made the list for the 10 largest breaches of all time.

In terms of distribution by industry, the business sector (including technology, retail and finance companies) accounted for the majority of the reported breaches, followed by the medical, government and education sectors. You can find more information about this report in this post on the Daily Dashboard.

While the majority of reported incidents resulted from outsiders hacking into an organization’s systems, the impact of insider actions cannot be discounted.

One example of inadvertent disclosure is the release of nearly 2 billion public transport travel records by the state of Victoria’s Department of Transport to the Melbourne Datathon, Australia's largest event focused on finding innovative uses for data. This led to the issue of a compliance notice by the Office of the Victorian Information Commissioner, requiring the department to create a data governance program and review its policies for releasing data.

The data comprised three years of records for virtually all public transport users using the state’s Myki travel cards between July 2015 and June 2018. While the data itself did not contain personally identifiable information, and steps were taken to further deidentify the dataset by removing individual Myki card ID numbers, researchers have found that it is possible to reidentify individuals, including by linking the data with data from other sources.

Clearly, further measures should have been adopted to ensure the proper deidentification of the dataset. One suggestion is the application of differential privacy techniques to dynamically introduce “noise” into the data. However, given that all subscribers to this newsletter would have read this post, we know that this reduces but may not completely eliminate the risk of reidentification.

Now, what is one to do? Leave a comment below the article if you have any suggestions!