Threat Intelligence

2/13/2019
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

2018 Was Second-Most Active Year for Data Breaches

Hacking by external actors caused most breaches, but Web intrusions and exposures compromised more records, according to Risk Based Security.

More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.

The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record. Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017. In addition, more records were compromised last year than in any previous year than 2017 and 2005.

As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records. In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total. In all, 12 breaches in 2018 exposed at least 100 million records. Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.

For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.

The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors. Risk Based Security's analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. In contrast, the medical and education sectors combined exposed less than 10 million records.

More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords. The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.

Risk Based Security's report shows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%). Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.

The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.

The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery. That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.

"What we found was, after three years of closing the gap between discovery and reporting, the average number of days between those two dates was stagnant in 2018," Goodijn says.

The general anticipation was that mandates such as the European Union's General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times.  So it was surprising to see little movement on that front last year. "It's hard to say why it is still taking nearly 50 days to disclose a breach," Goodijn notes. "It could be we have reached a plateau, where it simply takes two to three weeks to conduct a full investigation and another two to three weeks to work through preparing and releasing a notification."

The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says. The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours. But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach "So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all," Goddijn says.

Risk Based Security's report does not include "dwell time," or the duration between when an attacker first breaks into a network and when the intrusion is first discovered. But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source. In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.

"If we look at the rate of internal discovery verses external discovery, we can see that many organizations are still learning of the incident from external sources, such as law enforcement, fraud detection, independent researchers, or even their own customers," Goddijn notes. "Our assumption is that organizations that are better able to detect a breach will also be better positioned to respond. That's something we'll be taking a closer look at in 2019."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nicfaust
100%
0%
nicfaust,
User Rank: Apprentice
2/14/2019 | 6:28:26 AM
Hi!
Interesting post. Thank you.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6157
PUBLISHED: 2019-04-22
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
CVE-2015-1343
PUBLISHED: 2019-04-22
All versions of unity-scope-gdrive logs search terms to syslog.
CVE-2016-1573
PUBLISHED: 2019-04-22
Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope.
CVE-2016-1579
PUBLISHED: 2019-04-22
UDM provides support for running commands after a download is completed, this is currently made use of for click package installation. This functionality was not restricted to unconfined applications. Before UDM version 1.2+16.04.20160408-0ubuntu1 any confined application could make use of the UDM C...
CVE-2016-1584
PUBLISHED: 2019-04-22
In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input.