How will 2019 be remembered for data breaches? Not well. The number of U.S. data breaches tracked by the Identity Theft Resource Center increased to 1,473, a 17% increase from 1,257 in 2018.
Drilling into the payments sector, the increase was larger, according to a newly released report from the ITRC, a San Diego-based non-profit. There were 287 data breaches in 2019 involving payment card and other types of data such as email addresses and other personal information, up 25% from 230 in 2018. The 2019 breaches exposed more than 23.3 million records. Some 2.16 million records were compromised in the 150 breaches that exposed payment card information only.
The 230 breaches in 2018 that exposed payment card and other data involved more than 412.7 million records. Much of the difference between the 2018 and 2019 exposures stemmed from the Marriott hotels breach that came to light in late 2018. That breach involved 383 million records alone, the ITRC says. Almost 11 million records were exposed in 2018’s 119 breaches that compromised only payment card information.
Notable 2019 breaches involving payment card data were Quest Diagnostics, which involved 11.9 million records, and 6.4 million records in the breach at EatStreet, a food-delivery service, according to the ITRC.
The scale of breaches involving credit and debit card data remains worrisome, even as the payments industry and merchants adopt new measures to secure cardholder data, according to the ITRC. One issue involves the coming migration to EMV chip card acceptance at the fuel pump. In October, fuel retailers will have to accept EMV transactions—and pay for expensive components and software upgrades to do that—or take liability for fraud from magnetic-stripe card transactions.
“The volume of payment cards exposed and the continuing struggle to secure some POS systems shows there is still work to be done,” says James Lee, chief operating officer of the center. “Pay-at-the-pump systems are of particular concern as legacy systems have not yet moved to the more secure chip-and-PIN technology. Bluetooth and wireless skimmers are proof that hackers innovate faster than the business community can implement new protections.”
Analysts say the transition to EMV at fuel pumps is likely to be far from complete by October. Another extension of the migration date, already postponed from 2017 to 2020, was rejected by the card brands late last year.