The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

Overall, the way attackers are monetizing system compromises has changed, says Inga Goddijn, executive vice president at RBS. 

"The attackers really seem to be moving away from going after credit card data and other personally identifiable data and going straight for the extortion schemes to monetize their access," she says, "while the bigger record count is really being driven by somebody's entire database sitting out there open, accessible, and readable to any passer by."

Overall, publicly reported data breaches shrank by 48% to 3,932 events in 2020, according to the "2020 Year End Report Data Breach QuickView" report. Yet more than 37 billion "records" were exposed, a 141% increase over 2019, mainly due to five breaches. Those breaches each exposed more than a billion records, while another 18 breaches exposed between 100 million and a billion records. 

While the data shows two different facets of trends in breaches, the actual level of activity probably has not changed much, says Goddijn. 

"I think the level of activity out there is the same, but the number of breaches that came to light was different in 2020," she says. "The landscape has changed quite a bit, but there is not a reduction of risk by a long shot."

Ransomware continues to be a problem, however. The number of breaches that included ransomware doubled to 676, Risk Based Security states in the report. 

The rising trend matches data from other security firms. Ransomware made up half of all cybersecurity incidents in 2020 and 81% of all financially motivated attacks, according to a report from the incident response team at CrowdStrike. The average ransom has exceeded $1.4 million, twice the cost of the cost of recovery, according to a report from Sophos.

With increasingly frequency, ransomware operators are stealing data as well, causing a rise in companies unable to determine the specific types of data taken. 

"Due in large part to the 'smash and grab' data theft that accompanied many of the exfiltration plus encryption extortion schemes, attackers have shown it’s not necessary to steal personal data in order to generate a successful payday," RBS states in the report. "Exfiltrating sensitive internal files is enough — in some cases — to create sufficient pressure for organizations to pay the extortion demand in the hopes of preventing wide-spread release of the data."

Other measures show the changes to the mix of breaches. The average severity score for breaches increased to 5.7 by the end of 2020, up from 4.8 at the beginning of the year. Because the scale of the severity score is logarithmic, the increase of nearly a point indicates a 10x increase in severity, the report states. The severity of a breach includes the volume of records exposed and the type of data in each record.

Almost half of all breaches leaked an individual's name, a third leaked an e-mail address, and more than a quarter leaked a Social Security number, according to the report. Only 25% of breaches included passwords, down from more than half in 2019.

The report also highlights the problems in determining the impact of breaches. 

On one hand, companies that suffer a ransomware attack should be considered breached, even if there is no evidence of data exfiltration, says Goddijn. Yet, as the leak of large databases with billions of records show, the record count does not necessarily equate to the number of individuals impacted, she says.

"The record count is showing its issues [as a metric] because it's not always a good indication of the severity of the breach," Goddijn says. "So this new data introduces some interesting questions about what the record count means."

Overall, more than three-quarters of breaches were caused by an external actor, RBS states. Of the internally caused breaches, two-thirds were accidental.