- The financial services industry contributed 62% of exposed data in 2019, though it accounted for only 6.5% of data breaches, according to a Bitglass report, compiled from data by the Identity Theft Resource Center (ITRC) and the Ponemon Institute.
- Capital One was a leading contributor to the total amount of compromised data this year, following its data breach announced in July. The bank hadn't suffered a breach since 2014. Since 2009 and 2010, American Express and SunTrust Bank suffered the most breaches since 2009 and 2010, with five breaches each.
- Across industries, financial services has the second-highest cost per breached record, behind healthcare. In financial services, an average breach costs $210 per record, while a "mega breach," like Capital One's, can cost up to $388 per record. In healthcare a breach can cost $429 per compromised record, according to the report.
Data breaches are forcing companies to harmonize security and privacy practices.
California's privacy law is about a week away from enactment, and like the General Data Protection Regulation (GDPR) consumers have right to action following data breach. The California Consumer Privacy Act also affords companies a 30-day grace period to correct its violations.
Banks have a higher expectation for fast breach response than other companies, reports Banking Dive. Two-thirds of consumers would quit business with a bank if their breach response was slow or ineffective.
Less than one-fifth of companies feel confident they can inform privacy regulators of a breach within 72 hours, according to data from Ponemon Institute and McDermott Will & Emery.
Capital One disclosed its breach within days of discovering unauthorized access of its network. A misconfigured web application firewall(WAF) led to the 106 million-person breach.
Hackers have an abundance of WAF flaws to choose from and exploit, but security flaws don't always lead to "reportable breaches" under privacy regulations. Unavailable systems or inappropriate security use don't fall under the purview of breaches worthy of reporting, according to Ponemon Institute.