Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM

Breach Data Shows Attackers Switched Gears in 2020

Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

Related Content:

First the Good News: Number of Breaches Down 51% Year Over Year

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Overall, the way attackers are monetizing system compromises has changed, says Inga Goddijn, executive vice president at RBS. 

"The attackers really seem to be moving away from going after credit card data and other personally identifiable data and going straight for the extortion schemes to monetize their access," she says, "while the bigger record count is really being driven by somebody's entire database sitting out there open, accessible, and readable to any passer by."

Overall, publicly reported data breaches shrank by 48% to 3,932 events in 2020, according to the "2020 Year End Report Data Breach QuickView" report. Yet more than 37 billion "records" were exposed, a 141% increase over 2019, mainly due to five breaches. Those breaches each exposed more than a billion records, while another 18 breaches exposed between 100 million and a billion records. 

While the data shows two different facets of trends in breaches, the actual level of activity probably has not changed much, says Goddijn. 

"I think the level of activity out there is the same, but the number of breaches that came to light was different in 2020," she says. "The landscape has changed quite a bit, but there is not a reduction of risk by a long shot."

Ransomware continues to be a problem, however. The number of breaches that included ransomware doubled to 676, Risk Based Security states in the report. 

The rising trend matches data from other security firms. Ransomware made up half of all cybersecurity incidents in 2020 and 81% of all financially motivated attacks, according to a report from the incident response team at CrowdStrike. The average ransom has exceeded $1.4 million, twice the cost of the cost of recovery, according to a report from Sophos.

With increasingly frequency, ransomware operators are stealing data as well, causing a rise in companies unable to determine the specific types of data taken. 

"Due in large part to the 'smash and grab' data theft that accompanied many of the exfiltration plus encryption extortion schemes, attackers have shown it’s not necessary to steal personal data in order to generate a successful payday," RBS states in the report. "Exfiltrating sensitive internal files is enough — in some cases — to create sufficient pressure for organizations to pay the extortion demand in the hopes of preventing wide-spread release of the data."

Other measures show the changes to the mix of breaches. The average severity score for breaches increased to 5.7 by the end of 2020, up from 4.8 at the beginning of the year. Because the scale of the severity score is logarithmic, the increase of nearly a point indicates a 10x increase in severity, the report states. The severity of a breach includes the volume of records exposed and the type of data in each record.

Almost half of all breaches leaked an individual's name, a third leaked an e-mail address, and more than a quarter leaked a Social Security number, according to the report. Only 25% of breaches included passwords, down from more than half in 2019.

The report also highlights the problems in determining the impact of breaches. 

On one hand, companies that suffer a ransomware attack should be considered breached, even if there is no evidence of data exfiltration, says Goddijn. Yet, as the leak of large databases with billions of records show, the record count does not necessarily equate to the number of individuals impacted, she says.

"The record count is showing its issues [as a metric] because it's not always a good indication of the severity of the breach," Goddijn says. "So this new data introduces some interesting questions about what the record count means."

Overall, more than three-quarters of breaches were caused by an external actor, RBS states. Of the internally caused breaches, two-thirds were accidental.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...