Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

2018 Was Second-Most Active Year for Data Breaches

Hacking by external actors caused most breaches, but Web intrusions and exposures compromised more records, according to Risk Based Security.

More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.

The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record. Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017. In addition, more records were compromised last year than in any previous year than 2017 and 2005.

As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records. In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total. In all, 12 breaches in 2018 exposed at least 100 million records. Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.

For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.

The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors. Risk Based Security's analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. In contrast, the medical and education sectors combined exposed less than 10 million records.

More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords. The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.

Risk Based Security's report shows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%). Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.

The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.

The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery. That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.

"What we found was, after three years of closing the gap between discovery and reporting, the average number of days between those two dates was stagnant in 2018," Goodijn says.

The general anticipation was that mandates such as the European Union's General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times.  So it was surprising to see little movement on that front last year. "It's hard to say why it is still taking nearly 50 days to disclose a breach," Goodijn notes. "It could be we have reached a plateau, where it simply takes two to three weeks to conduct a full investigation and another two to three weeks to work through preparing and releasing a notification."

The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says. The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours. But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach "So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all," Goddijn says.

Risk Based Security's report does not include "dwell time," or the duration between when an attacker first breaks into a network and when the intrusion is first discovered. But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source. In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.

"If we look at the rate of internal discovery verses external discovery, we can see that many organizations are still learning of the incident from external sources, such as law enforcement, fraud detection, independent researchers, or even their own customers," Goddijn notes. "Our assumption is that organizations that are better able to detect a breach will also be better positioned to respond. That's something we'll be taking a closer look at in 2019."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nicfaust
100%
0%
nicfaust,
User Rank: Apprentice
2/14/2019 | 6:28:26 AM
Hi!
Interesting post. Thank you.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.