The Equifax and Yahoo incidents eclipsed news of the other 1,465 breaches reported in Q3 but shouldn't diminish the importance of the 3,833 total breaches reported in the first nine months of this year, which exposed more than 7 billion records.
Risk Based Security disclosed its latest analysis of this year's breaches, including the most recent quarter, in its Q3 2017 Data Breach QuickView Report released today.
The pace of breach disclosures began to steadily grow in July 2017, peaking in September with more than 600 breaches reported for the month. Compared to the first nine months of 2016, the number of reported breaches in 2017 is up 18.2%; the number of exposed records up 305%.
Five incidents from this year are among the top 10 largest breaches of all time and, combined, exposed about 78.5% of all exposed records to date. The Equifax incident leads the pack as the most severe breach of both Q3 and 2017.
"Equifax made a lot of headlines for a lot of good reasons," says Inga Goddijn, Executive Vice President for Risk Based Security. "It's horrible in terms of the amount of data lost -- 145 million records is a mega breach by any measure … but really the breach response, in a number of textbook ways, is how not to handle a breach response; how to make a bad situation worse."
If not for Equifax, there are several other major breaches which would have stolen the spotlight. Goddijn points out the compromised version of Avast CCleaner, as well as payment card breaches at Whole Foods and Sonic, which also hit the news cycle in September.
They're after your credentials
There is a "number of factors" driving the number of breaches in 2017, she continues, but a key reason is failure to recognize the value of personal data on the black market.
"Really, the underlying driving cause is that data has value, and it has a monetary value, and so often we have a tendency to lose sight of that," Goddijn explains. "At the leadership level, that recognition hasn't taken hold as far as we would like to see it."
Researchers noticed an uptick in leaks targeting credentials for popular streaming services. Access credentials in the form of email addresses and passwords are the two most compromised data types, at 44.3% and 40%, respectively.
There's so much data floating around on the Web, it's common for attackers to grab leaked information and test stolen credentials on various websites. Access credentials tend to last longer than financial data, which has a shorter shelf life, Goddijn notes.
"Things like credit card numbers, even bank account numbers, can be changed. The data is only good for so long," she says. "People have a tendency not to change passwords unless they have to, and they use the same password for different services."
Most breaches are caused by hacking: there were 1997 hacking events, exposing 2.7 billion records, in the first nine months of 2017. There were fewer Web breaches, at 206 incidents, but they caused far more damage with a total of 4.8 billion records exposed.
Silver lining and steps forward
Data indicates we're still seeing mega breaches and data leaks but some trends are starting to shift. The severity of breaches skewed lower this particular quarter, Goddijn points out.
During Q3 there were more breaches exposing between 1 and 100 records, indicating lower severity. Fewer breaches exposed Social Security numbers and other high-value data, which drove down breach severity scores. Goddijn calls this a "good trend to see" and hopes the rest of 2017 will follow suit.
However, the outlook won't be quite as sunny if security teams don't step up their game.
"One of the bigger factors, where organizations fall short, is not making security a part of their ordinary everyday operations," she says. "Security has to be an ongoing process. It's not just 'Hey we got a new firewall,' or 'Look, we got a new antivirus system.'"
While these are important, it's also important to think about the business and how all activity affects security. How are new employees onboarded? How can you control their application access? When they leave, do you have a process to take away their access?
"Too often, management fails to recognize the need to build out those processes," Goddijn explains. This failure can drive vulnerabilities and insider threats, both malicious and accidental.
- Less Than One-Third of People Use Two-Factor Authentication
- Majority of US Companies' DDoS Defenses Breached
- How I Infiltrated a Fortune 500 Company with Social Engineering
- 4 Proactive Steps to Avoid Being the Next Data Breach Victim
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.