Five mega-breaches last year accounted for more than 72% of all data records exposed in 2017.

It was a record-breaking year for the numbers of publicly reported data breaches and exposed records in 2017 worldwide: a total of 5,207 breaches and 7.89 billion information records compromised.

While hacking remained the No. 1 method used in data breaches last year (55.8%), for the first time it wasn't the top cause of exposed data records: 68.7% of exposed records came at the hands of unintentional Web-borne exposure due to accidental leaking online and misconfigured services and portals.

Some 5.4 billion records were exposed this way, even though that was via just 5% of all reported breaches. Data breaches due to hacks accounted for 2.3 billion records.

"These were misconfigured services, faulty backups, that sort of administrative error that leads to those data sets then being open and exposed to the Internet," explains Inga Goddijn, executive vice president of Risk Based Security, which compiled the breach data from public disclosures for its annual report. "The popularity of search engines like Shodan make it an incredibly open doorway for discovering that information. ... Both security researchers and malicious actors alike understand the power of those tools."

There was a painful wave of publicly disclosed leaks via misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket accounts in 2017. RedLock CSI (Cloud Security Intelligence) found that 53% of businesses using cloud storage services like AWS S3 had inadvertently exposed one or more of their cloud services to the Internet. Among the big-name companies found with exposed AWS S3 storage buckets were Accenture, Booz Allen Hamilton, and Verizon.

Goddijn says most of the exposed record incidents in 2017 were data-handling errors that could have been prevented. Risk Based Security, which compiles and aggregates publicly disclosed data breach events, published its findings today in its annual Data Breach QuickView report on breach trends for 2017.

Both the number of total breaches and total records exposed each jumped by 24% over 2016.

Big Data Eight of 2017's reported data breaches made the Top 20 list of all-time largest breaches, according to the report. And the five biggest breaches of the year exposed 72.2% of the records, or 5.7 billion records total.

Goddijn points to a few mega-breaches driving that data, including those at Equifax and Sabre Systems. While travel systems provider Sabre has not reported the full extent of its breach, affected third parties continue to issue notifications affecting their customers, she says. "We are still getting information on organizations that had employee or customer data exposed as part of that Sabre breach," including hotels and travel organizations, she says.

"They [Sabre] never came out and said how big it was, but it has been one of the larger ones" based on the fallout, she says. It's unclear if Sabre even knows the full extent of the breach, she says.

Most reported breaches (39.4%) occurred in the business sector, followed by medical (8.1%), government (7.2%), and education (5.3%). And 40% of breaches came from organizations that were not identifiable based on the public disclosure data.

Businesses suffered the most exposed records, with 82.9%, government (3.7%), medical (less than 1%), education (less than 1%), and some 12.4% in sectors not identifiable via public disclosure information.

The US led the world with the most reported breaches, with 2,330, followed by the UK (184), Canada (116), India (78), and Australia (62). That wide gap between the US and Europe could change once the European Union's General Data Protection Regulation (GDPR) goes into effect in May, which includes rules for mandatory breach notification. "I'll be curious to see how GDPR impacts the data," she says, noting that the US has had some of the most stringent reporting requirements thus far.

Taking control of our digital information is often easier said than done. The sheer amount of data we generate on a daily basis can be more than 300 MB each day and sharing some of this information is a part of modern life. Attempting to control who collects, uses and shares our personal information requires technical tools and know-how and a basic understanding of what risks can ultimately emerge. But before anyone offers up a standard set of tips for how best to manage your privacy, it’s worth taking a moment to learn more about the complex data ecosystem in which we all now live – and what that means for controlling information about us. So many modern technologies work to eliminate friction across websites, services and even devices, giving us a seamless experience when shifting from watching movies on our phones to connecting on our televisions. But these same technologies also facilitate the tracking and aggregation of ever more information about us. This is known in privacy circles as cross-device tracking. The Federal Trade Commission has explained that companies are tracking users with increasing accuracy and correlating their movements and data streams across different platforms.

Tracking across devices occurs in two general ways.

Deterministic tracking is based on login information. For example, Facebook knows what computers and phones you use because you sign in to Facebook on each of them, but deterministic tracking can also occur when companies you’ve never heard of share email addresses with partners. Probabilistic tracking is even harder to detect, relying on IP addresses and other settings, such as the fonts installed on your computer, to create digital fingerprints about individual users.

Cross-device tracking can be difficult for users to control, and it’s not always clear what the benefit to users is from this type of tracking. To limit the impact of tracking across devices, it’s important to try to break linkages among them. Divvy up services among different email addresses and use different browsers for different activities. For example, consider using one privacy-protective browser primarily to surf the web and another for staying logged in to Gmail, Twitter and LinkedIn.

Clearing cookies and limiting ad tracking on mobile devices can disrupt some of this tracking, but our digital footprints today extend far beyond browsers and smartphones. Viewing habits from our smart televisions, health information from wearable devices and data about our brick-and-mortar shopping habits are all collected and analyzed by trackers. Companies frequently stress that they do not share “personally identifiable information” and while this is technically true, customer loyalty programs track every bag of Cheetos and box of luxury cat toys we buy. Our credit cards provide detailed data trails of where and when we shop and what we buy. Sensitive information about individuals can and often is gleaned from seemingly innocuous places; when it’s not found, it might be inferred. What else can the outmatched individual user do in response?

First, recognize the value of your location. There is a reason so many apps and services either ask for or try to infer your general location. Geolocation data doesn’t just reveal where you are; it often reveals who you are, including your innermost interests, beliefs and desires. Mobile location options, private browsers like Tor and virtual private networks (VPNs) can be used to limit some access to your location data, but even the Supreme Court is currently grappling with all the many ways our location information can be acquired.

Second, to the extent you feel comfortable, obfuscate. Data brokers will tell you that much of the information they obtain is publicly volunteered from surveys we complete ourselves. Think twice before eagerly handing over your email address or phone number for a coupon. (This is where having multiple email addresses can come in handy when your hotel or grocery asks for an email to stay in touch.) Remember, the goal is to try to break the linkages that are being made about your activities online and off.

Third, cash is still legal tender. Pay with it where you can. While credit cards and mobile payment options can offer considerable convenience, we’re also giving up a tremendous amount of control over our financial information and our purchase history. Using credit cards to pay for things like counseling, lottery tickets and pornography can make you look like a credit risk. Paying with cash can protect your personal information (and you’re likely to spend less money, too).

Finally, remember that knowledge is power. Nine out of ten Americans feel like they don’t have any control over their information, but this is because most do not know how it is being collected or trust how it’s being used. Sometimes information has to be shared – to take out a loan, to rent an apartment or even to get a job and yet in the wake of the Equifax data breach last fall, it can be easy to feel like our data is already irreparably out in the open and exposed. But shrugging our shoulders or burying our heads in the sand isn’t productive. According to Equifax itself, 42 percent of Americans have never looked at their credit reports.

We face an information deficit, and unfortunately the burden is on each of us to learn more about our complex data ecosystem. That takes time and energy, and there is almost an overabundance of resources from government agencies and privacy and security advocates. One place to start is our own DIY Digital Security Quiz, and another great way to get bite-sized downloads about our data ecosystem is to tackle Note to Self’s five-day “Privacy Paradox” challenge. It may be hard to take complete control of our digital identities, but a bit more knowledge can go a long way.

A new study by Google has revealed insights to better explain how emails and other accounts are hacked and hijacked by malicious hackers. A 12-month study wherein Google partnered the University of California, Berkeley to provide a better understanding on how customer accounts are hijacked has also revealed ways in which users can better secure their online accounts.

Google wrote:

What we learned from the research proved to be immediately useful. We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We’re sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords

Over a 12-month period, the study revealed that a staggering 788,000 credentials were stolen via keyloggers – malicious software or hardware that records the keystrokes on a keyboard. The study, which lasted between March 2016 and March 2017, also discovered 12.5 million potential victims of phishing kits and 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. A further 3.3 billion credentials were exposed by third-party breaches.

Revealingly, phishing continues to pose the biggest cybersecurity threat, farming some 235,000 usernames and passwords every week. Relatively speaking, keyloggers were found to be stealing nearly 5,000 credentials per week. Furthermore, 74% of keyloggers and 82% of phishing attempts also tried to collect a user’s IP address and physical location. A further 18% of malicious tools collected phone numbers as well as the victim’s device make and model.

Google engineers added:

By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.