Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

2018 Was Second-Most Active Year for Data Breaches

Hacking by external actors caused most breaches, but Web intrusions and exposures compromised more records, according to Risk Based Security.

More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.

The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record. Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017. In addition, more records were compromised last year than in any previous year than 2017 and 2005.

As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records. In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total. In all, 12 breaches in 2018 exposed at least 100 million records. Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.

For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.

The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors. Risk Based Security's analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. In contrast, the medical and education sectors combined exposed less than 10 million records.

More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords. The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.

Risk Based Security's report shows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%). Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.

The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.

The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery. That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.

"What we found was, after three years of closing the gap between discovery and reporting, the average number of days between those two dates was stagnant in 2018," Goodijn says.

The general anticipation was that mandates such as the European Union's General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times.  So it was surprising to see little movement on that front last year. "It's hard to say why it is still taking nearly 50 days to disclose a breach," Goodijn notes. "It could be we have reached a plateau, where it simply takes two to three weeks to conduct a full investigation and another two to three weeks to work through preparing and releasing a notification."

The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says. The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours. But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach "So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all," Goddijn says.

Risk Based Security's report does not include "dwell time," or the duration between when an attacker first breaks into a network and when the intrusion is first discovered. But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source. In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.

"If we look at the rate of internal discovery verses external discovery, we can see that many organizations are still learning of the incident from external sources, such as law enforcement, fraud detection, independent researchers, or even their own customers," Goddijn notes. "Our assumption is that organizations that are better able to detect a breach will also be better positioned to respond. That's something we'll be taking a closer look at in 2019."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nicfaust
100%
0%
nicfaust,
User Rank: Apprentice
2/14/2019 | 6:28:26 AM
Hi!
Interesting post. Thank you.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...