Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM

First the Good News: Number of Breaches Down 51% Year Over Year

But the number of records put at risk experiences a massive increase. Here's why.

In the first three quarters of 2020, the number of data breaches fell to its lowest level in five years, while the number of records put at risk by those breaches skyrocketed to more than four times the level of the same nine months in 2019, according to Risk Based Security's  (RBS) latest quarterly breach report.

The massive rise in the number of records exposed during breaches in 2020 is partly due to a handful of large misconfigured databases, RBS states in the Q3 report. Two breaches exposed more than 1 billion records each, and another four breaches put at risk more than 100 million records each.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

While the number of breaches is typically a measure of malicious activity, the number of records exposed to risk is generally due to an increase in the discovery of misconfigured databases and services, says Inga Goddijn, executive vice president at RBS. 

"When we look at the records exposed, it is important to keep in mind that the real driver behind that is the misconfigured databases and services, where folks find the open data sets, they explore and look around, and then the incident gets reported," she says. "They are more focused on the entire dataset put at risk." 

There may not necessarily be fewer breaches, says Goddijn. The different numbers underscore the differences in what can be considered a data breach. RBS defines a data breach as the "unauthorized access to, or loss of control of, confidential or sensitive information," the report states.

In addition, companies hit with ransomware do not always report the incident as a breach, especially if they do not know what data has been copied by the attackers. For the first nine months of the year, RBS researchers found reports of 440 ransomware attacks that also contained a data-breach angle — whether information had been taken or the attacker had access to the information in the course of the attack.

Add to that the uncertainty of the pandemic, which has pushed a lot of breach news from the headlines, and fewer breaches may gain public notice, Goddijn says.

"I hate blaming everything on COVID because everyone does that, but I really do think that there is COVID effect," she says. "Because of world events, less breach news is being surfaced ... and information that does become public is a little bit slower to come out." 

RBS also notes the election has spurred the interest of data thieves. Voter databases have appeared for sale in underground forums where stolen data is often sold. A variety of actors were selling data dumps of purported voter databases, including information on 7 million voters from Michigan, 8 million voters from North Carolina, 5 million voters from Washington state, and several files containing information of Florida voters, RBS states in its report.

Since voter registration information is often publicly available, the files do not necessarily represent breaches, but they do underscore that such data may allow attempts to meddle in the US election or enable cybercriminals to craft convincing lures as part of phishing campaigns.

"While much of this data might have been collated from older or publicly accessible sources, the potential dangers are still very real," RBS states in the report. "The increased attention and cooperation between hackers points to a growing interest and overall risk. They would most likely prefer for us to think that hacktivism isn't a real issue, given the current climate, but circulating these types of databases can leave voters feeling vulnerable and feed mistrust of voter systems."

The healthcare industry, information brokers, and the financial industry represent the top three reporting industries for breaches, highlighting how companies with the most personal information are often attacked by cybercriminals. 

Companies cannot expect a one-size-fits-all approach to securing their data, Goddijn adds. They should take the effort to assess their risk, create a strategy around that risk, and keep those valuable assets protected.

"I come back to process, process, process," she says. "Your security process needs to be strong. You need to be double checking, triple checking, and having ways to discover those security weaknesses on their own."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.