Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2021
05:35 PM
50%
50%

Breach Data Shows Attackers Switched Gears in 2020

Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

Related Content:

First the Good News: Number of Breaches Down 51% Year Over Year

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Overall, the way attackers are monetizing system compromises has changed, says Inga Goddijn, executive vice president at RBS. 

"The attackers really seem to be moving away from going after credit card data and other personally identifiable data and going straight for the extortion schemes to monetize their access," she says, "while the bigger record count is really being driven by somebody's entire database sitting out there open, accessible, and readable to any passer by."

Overall, publicly reported data breaches shrank by 48% to 3,932 events in 2020, according to the "2020 Year End Report Data Breach QuickView" report. Yet more than 37 billion "records" were exposed, a 141% increase over 2019, mainly due to five breaches. Those breaches each exposed more than a billion records, while another 18 breaches exposed between 100 million and a billion records. 

While the data shows two different facets of trends in breaches, the actual level of activity probably has not changed much, says Goddijn. 

"I think the level of activity out there is the same, but the number of breaches that came to light was different in 2020," she says. "The landscape has changed quite a bit, but there is not a reduction of risk by a long shot."

Ransomware continues to be a problem, however. The number of breaches that included ransomware doubled to 676, Risk Based Security states in the report. 

The rising trend matches data from other security firms. Ransomware made up half of all cybersecurity incidents in 2020 and 81% of all financially motivated attacks, according to a report from the incident response team at CrowdStrike. The average ransom has exceeded $1.4 million, twice the cost of the cost of recovery, according to a report from Sophos.

With increasingly frequency, ransomware operators are stealing data as well, causing a rise in companies unable to determine the specific types of data taken. 

"Due in large part to the 'smash and grab' data theft that accompanied many of the exfiltration plus encryption extortion schemes, attackers have shown it’s not necessary to steal personal data in order to generate a successful payday," RBS states in the report. "Exfiltrating sensitive internal files is enough — in some cases — to create sufficient pressure for organizations to pay the extortion demand in the hopes of preventing wide-spread release of the data."

Other measures show the changes to the mix of breaches. The average severity score for breaches increased to 5.7 by the end of 2020, up from 4.8 at the beginning of the year. Because the scale of the severity score is logarithmic, the increase of nearly a point indicates a 10x increase in severity, the report states. The severity of a breach includes the volume of records exposed and the type of data in each record.

Almost half of all breaches leaked an individual's name, a third leaked an e-mail address, and more than a quarter leaked a Social Security number, according to the report. Only 25% of breaches included passwords, down from more than half in 2019.

The report also highlights the problems in determining the impact of breaches. 

On one hand, companies that suffer a ransomware attack should be considered breached, even if there is no evidence of data exfiltration, says Goddijn. Yet, as the leak of large databases with billions of records show, the record count does not necessarily equate to the number of individuals impacted, she says.

"The record count is showing its issues [as a metric] because it's not always a good indication of the severity of the breach," Goddijn says. "So this new data introduces some interesting questions about what the record count means."

Overall, more than three-quarters of breaches were caused by an external actor, RBS states. Of the internally caused breaches, two-thirds were accidental.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33818
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2021-33820
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
CVE-2021-33822
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.