In the first three quarters of 2020, the number of data breaches fell to its lowest level in five years, while the number of records put at risk by those breaches skyrocketed to more than four times the level of the same nine months in 2019, according to Risk Based Security's (RBS) latest quarterly breach report.
The massive rise in the number of records exposed during breaches in 2020 is partly due to a handful of large misconfigured databases, RBS states in the Q3 report. Two breaches exposed more than 1 billion records each, and another four breaches put at risk more than 100 million records each.
While the number of breaches is typically a measure of malicious activity, the number of records exposed to risk is generally due to an increase in the discovery of misconfigured databases and services, says Inga Goddijn, executive vice president at RBS.
"When we look at the records exposed, it is important to keep in mind that the real driver behind that is the misconfigured databases and services, where folks find the open data sets, they explore and look around, and then the incident gets reported," she says. "They are more focused on the entire dataset put at risk."
There may not necessarily be fewer breaches, says Goddijn. The different numbers underscore the differences in what can be considered a data breach. RBS defines a data breach as the "unauthorized access to, or loss of control of, confidential or sensitive information," the report states.
In addition, companies hit with ransomware do not always report the incident as a breach, especially if they do not know what data has been copied by the attackers. For the first nine months of the year, RBS researchers found reports of 440 ransomware attacks that also contained a data-breach angle — whether information had been taken or the attacker had access to the information in the course of the attack.
Add to that the uncertainty of the pandemic, which has pushed a lot of breach news from the headlines, and fewer breaches may gain public notice, Goddijn says.
"I hate blaming everything on COVID because everyone does that, but I really do think that there is COVID effect," she says. "Because of world events, less breach news is being surfaced ... and information that does become public is a little bit slower to come out."
RBS also notes the election has spurred the interest of data thieves. Voter databases have appeared for sale in underground forums where stolen data is often sold. A variety of actors were selling data dumps of purported voter databases, including information on 7 million voters from Michigan, 8 million voters from North Carolina, 5 million voters from Washington state, and several files containing information of Florida voters, RBS states in its report.
Since voter registration information is often publicly available, the files do not necessarily represent breaches, but they do underscore that such data may allow attempts to meddle in the US election or enable cybercriminals to craft convincing lures as part of phishing campaigns.
"While much of this data might have been collated from older or publicly accessible sources, the potential dangers are still very real," RBS states in the report. "The increased attention and cooperation between hackers points to a growing interest and overall risk. They would most likely prefer for us to think that hacktivism isn't a real issue, given the current climate, but circulating these types of databases can leave voters feeling vulnerable and feed mistrust of voter systems."
The healthcare industry, information brokers, and the financial industry represent the top three reporting industries for breaches, highlighting how companies with the most personal information are often attacked by cybercriminals.
Companies cannot expect a one-size-fits-all approach to securing their data, Goddijn adds. They should take the effort to assess their risk, create a strategy around that risk, and keep those valuable assets protected.
"I come back to process, process, process," she says. "Your security process needs to be strong. You need to be double checking, triple checking, and having ways to discover those security weaknesses on their own."