Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2020
06:50 PM
50%
50%

First the Good News: Number of Breaches Down 51% Year Over Year

But the number of records put at risk experiences a massive increase. Here's why.

In the first three quarters of 2020, the number of data breaches fell to its lowest level in five years, while the number of records put at risk by those breaches skyrocketed to more than four times the level of the same nine months in 2019, according to Risk Based Security's  (RBS) latest quarterly breach report.

The massive rise in the number of records exposed during breaches in 2020 is partly due to a handful of large misconfigured databases, RBS states in the Q3 report. Two breaches exposed more than 1 billion records each, and another four breaches put at risk more than 100 million records each.

Related Content:

Ransomware Attacks Show Little Sign of Slowing in 2021

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

While the number of breaches is typically a measure of malicious activity, the number of records exposed to risk is generally due to an increase in the discovery of misconfigured databases and services, says Inga Goddijn, executive vice president at RBS. 

"When we look at the records exposed, it is important to keep in mind that the real driver behind that is the misconfigured databases and services, where folks find the open data sets, they explore and look around, and then the incident gets reported," she says. "They are more focused on the entire dataset put at risk." 

There may not necessarily be fewer breaches, says Goddijn. The different numbers underscore the differences in what can be considered a data breach. RBS defines a data breach as the "unauthorized access to, or loss of control of, confidential or sensitive information," the report states.

In addition, companies hit with ransomware do not always report the incident as a breach, especially if they do not know what data has been copied by the attackers. For the first nine months of the year, RBS researchers found reports of 440 ransomware attacks that also contained a data-breach angle — whether information had been taken or the attacker had access to the information in the course of the attack.

Add to that the uncertainty of the pandemic, which has pushed a lot of breach news from the headlines, and fewer breaches may gain public notice, Goddijn says.

"I hate blaming everything on COVID because everyone does that, but I really do think that there is COVID effect," she says. "Because of world events, less breach news is being surfaced ... and information that does become public is a little bit slower to come out." 

RBS also notes the election has spurred the interest of data thieves. Voter databases have appeared for sale in underground forums where stolen data is often sold. A variety of actors were selling data dumps of purported voter databases, including information on 7 million voters from Michigan, 8 million voters from North Carolina, 5 million voters from Washington state, and several files containing information of Florida voters, RBS states in its report.

Since voter registration information is often publicly available, the files do not necessarily represent breaches, but they do underscore that such data may allow attempts to meddle in the US election or enable cybercriminals to craft convincing lures as part of phishing campaigns.

"While much of this data might have been collated from older or publicly accessible sources, the potential dangers are still very real," RBS states in the report. "The increased attention and cooperation between hackers points to a growing interest and overall risk. They would most likely prefer for us to think that hacktivism isn't a real issue, given the current climate, but circulating these types of databases can leave voters feeling vulnerable and feed mistrust of voter systems."

The healthcare industry, information brokers, and the financial industry represent the top three reporting industries for breaches, highlighting how companies with the most personal information are often attacked by cybercriminals. 

Companies cannot expect a one-size-fits-all approach to securing their data, Goddijn adds. They should take the effort to assess their risk, create a strategy around that risk, and keep those valuable assets protected.

"I come back to process, process, process," she says. "Your security process needs to be strong. You need to be double checking, triple checking, and having ways to discover those security weaknesses on their own."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14190
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
CVE-2020-29074
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...