The number of U.S. data breaches bumped up 17% in 2019 but despite the increase, the volume of sensitive consumer records that were exposed declined substantially by 65%, according to a newly published report.

These statistics are a complete reversal of what happened in 2018, when the number of exposed consumer records soared by 126% and breaches declined by 23%, according to the Identity Theft Resource Center’s (ITRC) End-of-Year Data Breach Report for 2019 

Data breaches tracked in 2019 in the United States jumped to 1,473, from 1,257 in the previous year, the report revealed. Meanwhile, 164,683,455 sensitive records were exposed, compared to 471,225,862 in 2018. The ITRC notes, however, that the 2018 Marriott data alone exposed 383 million records , which is more than 80% of the total number and, “significantly skewing the data.”

With that in mind, it’s important to put what happened in 2018 into context, according to ITRC President and CEO Eva Velasquez. “The increase in the number of data breaches during 2019, while not surprising, is a serious issue,” she said. “It would appear that 2018 was an anomaly in how many data breaches were reported and the number of records exposed. The 2019 reporting year sees a return to the pattern of the ever-increasing number of breaches and volume of records exposed.”

Based on that analysis, what appears to be a good news/bad news story turns into more of a cautionary tale. But Matt Cullina, Executive Vice President of Strategic Partnerships and Managing Director of Global Markets at CyberScout, took heart in the reduction of the number of exposed sensitive records. CyberScout sponsors the ITRC report.

“The extraordinary drop in the number of records exposed and the incredible feat of cutting the sensitive PII (personally identifiable information) exposed by two thirds indicates that we may be moving in a good direction with regards to the extent of the damage associated with breaches,” he said, urging businesses and consumers to remain vigilant in protecting their data and systems.

Risk-based Approach

The “good direction” Cullina mentions could be related to how organizations have started approaching cybersecurity in recent years. Although the report makes no mention of it, there has been a stronger focus on addressing cyber threats with a risk-based approach, much like organizations handle the risks of doing business.

A risk-based approach to cybersecurity recognizes that cyber risks are one of many operational risks with “the potential for business losses of all kinds—financial, reputational, operational, productivity related, and regulatory related—in the digital domain,” according to McKinsey .

As such, organizations have to prioritize these risks by understanding their potential for exposure and building a cybersecurity strategy that gives the most protection to its most important assets.

More Work Ahead

While progress may have been made, it’s clear that organizations have much more work ahead of them to protect their data.

The ITRC report reveals that the banking/finance/credit took the biggest hit in terms of exposed records, accounting for more than 100 million. Business (about 39 million) and education (about 19 million) followed.

The report revealed that while hacking accounts for the highest percentage of breaches (39%), unauthorized access was a close second (36%). And even though unauthorized access came in second, it accounted for the bulk of exposed records (86%), an indication that organizations need to put a stronger focus on data access and authentication policies.