Attacks/Breaches

1/25/2017
03:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Data Breaches Exposed 4.2 Billion Records In 2016

The 4,149 data breaches reported in 2016 shattered the all-time high of nearly 1 billion exposed records in 2013.

Over the past year, 4,149 data breaches compromised more than 4.2 billion records, shattering the previous all-time high of about 1 billion exposed records in 2013.

This finding comes from the 2016 Data Breach QuickView report, released January 25 by Risk Based Security (RBS). Researchers discovered the number of data breaches was fairly consistent between 2015 and 2016, but their severity skyrocketed. 

In 2016, there were 94 reported incidents exposing at least one million records each, and 37 incidents exposing ten million or more records. Compared with 2015, this marks an increase of 63% and 105%, respectively.

It didn't take many breaches to compromise a record-breaking amount of customer information. The top ten breaches of 2016, which included nine hacks and one web breach, led to the exposure of a combined three billion records.

RBS discovered businesses accounted for 51% of reported breaches, surpassing unknown (23.4%), government (11.7%), medical (9.2%), and education (4.7%) industries. Most (80.9%) exposed records also came from the business sector.

The number of breaches by industry sector roughly corresponds with economic activity, explains Inga Goddijn, EVP of Risk Based Security. RBS has the largest central collection of publicly disclosed breaches, she continues, which provides a broad view into where incidents happen.

"What our data shows is that really, no industry is immune to data loss," Goddijn says. "Any organization that has sensitive data -- which is every organization with employees or confidential business information -- can be a target."

Findings from the RBS data breach study are supported by further research from the Online Trust Alliance (OTA), which today released its 2017 Cyber Incident & Breach Response Guide. "Cyber incident" encompasses events including corporate data loss, ransomware, unreported breaches, and incidents not involving covered information.

OTA concluded there were about 82,000 cyber incidents in 2016, affecting 225 organizations around the world each day. However, given that the majority of cyber incidents go unreported, it believes the actual number of annual events could exceed 250,000.

Businesses can learn from the consequences of high-profile attacks. Aside from financial loss, organizations are vulnerable to security threats and reputational damage. The OTA report cites research from the Internet Society, which discovered 59% of users would likely not do business with a company that had suffered a data breach.

While some incidents are unavoidable no matter how strong your security, many can be stopped with the right measures. OTA found more than 90% of cyber incidents could have been prevented.

The threat of data breaches will continue to grow so long as hackers' motivations remain the same, says Goddijn.

"As long as there is money to be made out of unauthorized access and data theft, malicious actors will continue to refine and improve their attack methods," she explains. "The wave of targeted phishing scams, seeking W2 details, that took place early in the first part of the year is a good example."

Phishing is not a new business threat, she says, but scammers successfully refined their approach by targeting HR personnel during the height of tax data preparation season. More than 100 companies and their employees were victims of this type of attack, which led to data being used in fake tax return schemes.

"Early indications look as if we might see a repeat of this in 2017," Goddijn notes. "We've already captured half a dozen such events this year and expect more to follow in the coming months."

While it's difficult to predict the future, Goddijn is "certain" data breaches will continue. It's no longer enough for busiensses to solely focus on prevention.

"Given where we are with the state of breach activity today, organizations need to also be thinking about response and recovery as integral components of security management," she says.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...
CVE-2017-17311
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2017-17312
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2018-12115
PUBLISHED: 2018-08-21
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second...
CVE-2018-7166
PUBLISHED: 2018-08-21
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misint...