Cybersecurity firm Risk Based Security (RBS) released an alarming report on data breaches in the first quarter of 2019, revealing a record breaking number of data breaches that exposed billions of documents to theft.

“For three years in a row more than one billion records have been exposed in the first quarter of the year, whereas between 2009 and 2016, the number of records exposed in the first quarter generally fell in the 100,000,000 – 200,000,000 range, with only 2016 and 2014 exceeding 200 million,” RBS wrote.

“Why the shift? Two causes stand out: leaky databases and malicious actors going public with sizable data sets for sale.”

New York and California were the US states targeted the most, accounting for nearly 90 percent of all the data breaches in country. Combined, the states had almost half a billion records exposed in 86 different breaches.

Hackers focused their efforts on a number of different companies in high-profit industries like software, finance, insurance, and health care, each of which accounted for at least 14 percent of data breaches in the RBS survey.

SEE: Tips for choosing the best VPN for your needs (free PDF) (TechRepublic)

The most common way for cybercriminals to get into a system was through email, tricking people into clicking on links or entering their information into fake replicas of websites they would normally trust.

“A particularly popular attack method evident in recent quarters is targeting user email accounts. Malicious actors typically phish employees or use leaked credentials to access email services. Although pilfering sensitive data is not always the attackers’ objective, such access can trigger lengthy investigations and give rise to a string of regulatory obligations,” they said.

One of the more worrying aspects of the report details how companies figure out they have a data breach. Unfortunately, the vast majority of organizations only realize they’ve been hacked after being told, either by law enforcement, customers or the hackers seeking to extort them.

“This outcome closely mirrors prior quarters with the majority of breaches discovered via external sources such as notification by law enforcement, fraud monitoring, actor disclosure, security researchers or notification from customers themselves,” they said.

“For Q1 2019, the average number of days between discovery and disclosure was 43 days when the breach came to light via external sources. However, it was a stunning 74 days for organizations that learned of the breach via internal sources. The median number of days between discovery and disclosure was equally surprising, with a median of 8 days for external discovery compared to a median of 46 days for internal discovery.”

In the first three months of this year, the five largest data breaches came from a number of different types of companies, from entertainment to information. The biggest occurred in March, when Verifications.io breached 982,864,972 “names, email & IP addresses, dates of birth, contact information, personal mortgage amounts, and FTP server credentials exposed on the Internet due to a misconfigured database.”

When Dubsmash was breached in February, hackers stole 161 million users’ names, IDs, email addresses, usernames. A malware attack on Earl Enterprises in March gave hackers access to 2,150,000 customer names, and credit or debit card numbers with expiration dates.

RBS added that about 15 percent of organizations were “unwilling or unable” to say how many records were truly exposed or vulnerable to hackers.

For more, check out “Hackers impersonate Microsoft more than any other brand in phishing attacks,” and “How to protect your business from account takeover attacks: 3 tips.”