We are almost at the halfway mark of 2016 – June – and it’s about this time of year that analysts and researchers release their 2015 findings on the state of payment security and data breaches while overviewing the statistics to date for 2016. Verizon put out their ninth Data Breach Investigations Report (DBIR) on April 26th, compiling incident data from 67 contributors globally to reveal the biggest data security threats, while the Identity Theft Resource Center (ITRC) continues to report weekly on data breaches gone public (315 as of April 26th) and how that compares to this time last year (25% increase).
We put together some of the most relevant facts, figures and statistics from these reports that shows where we were in 2015 and where we are heading in 2016.
Breaches in 2015
The Verizon DBIR analyzed more than 2,260 confirmed data breaches and 64,199 reported security incidents in 2015. Here is what the report found:
- 89% of all attacks involve financial motives with means of attacks including hacking, malware and phishing.
- Phishing was by far the quickest way for attackers to steal a victim’s credentials – in 81.9% of the incidents, the initial compromise took minutes. However, intrusion into a system took days in 67.8% of cases – reflecting the rise in point of sale (POS) attacks where malware was inserted to export credit card and personal data.
- For the first time in the Verizon DBIR history, credentials received its own section – as they rightly should since data is showing that 63% of data breaches were thanks to weak or stolen passwords.
- There were 1,429 incidents of credential theft in 2015 via both hacking and malware.
- The threat of insiders accounted for just 172 incidents involving data loss out of the 2,260 confirmed breaches in the report – showing that despite reports, the data breach threat from inside sources is much lower than the threat from outside sources.
90% of the breaches found in the DBIR fit into one of nine classifications: web app attacks, POS intrusions, miscellaneous errors, privilege misuse, cyber-espionage, payment card skimmers, physical theft/loss, crimeware, denial of service, and “everything else.” The leading cause of the 2,260 breaches remained hacking – use of stolen credentials (1,095) followed closely by malware and export of data (1,031).
Breaches and Payment Security in 2016
Not surprisingly, little has changed this year except that breaches are up and thieves have a new tool to make money – ransomware.
As of April 26th, the number of breaches captured in the 2016 ITRC Breach Report totaled 315, up more than 25% over last year’ s record pace for the same time period (251). Year-over-year, breaches in:
- The Business sector are up 44.4% over 2015 figures
- The Medical/Healthcare field are up nearly 36% over 2015 figures
- The Education sector are up 32% over 2015 figures
However, breaches in the Government/Military sector are down 22.2% from 2015 figures while breaches in the Banking/Financial/Credit category are down more than 62%.
To date, the ITRC reports that over 11 million consumer records have been compromised this year alone.
Malware is still rampant, with the latest strains including GozNym, which has successfully stolen $4 million from U.S. and Canadian banks. Hackers are also finding use in re-engineering potent older strains like Multigrain, a variant of the NewPosThings POS malware family, to break into POS systems.
But 2016 is so far proving to be the “rise” of ransomware, a form of malware that encrypts personal data in computers and then asks for ransom payments to decrypt it. Strains such as TeslaCrypt 2.0 are spreading globally, with unwitting users clicking on emails and advertisements that lock down the computer systems – the Hollywood Presbyterian Hospital in Los Angeles was reported to have paid a ransom of $17,000 to regain access to its systems.
In April of this year, the number of ransomware attacks made a massive 159% jump from March. Before the surge, ransomware cases were on the rise, but that increase ranged from only 9 to 20% month to month.
Prevention and Detection
One thing is clear – these types of cybersecurity attacks are not going away. They will only increase as we become more of a digital society, reliant less on physical means of communication and recording. Malware, by its very definition, is malicious software. It’s a virus that is aiming to harm something for monetary gain – whether that is breaking into a POS to silently “find” credit card information or by locking a whole computer network to make a couple thousand dollars quickly.
Our focus at Bluefin is encrypting data that makes it useless if found by malware – with our PCI-validated Point-to-Point Encryption (P2PE) solution, the goal is to encrypt all card information upon entry in the device (whether that is a mobile, call center, kiosk or countertop device) so that it isn’t available in a system as “clear-text”. Which is what a hacker wants, clear-text card data that they can resell. Our recent press release with Visa demonstrates the importance of PCI P2PE to the payments industry and one day, we hope that technologies like ours can be used to encrypt more than just payment data.
Right now, the success of ransomware is purely due to human action – in order to infiltrate a system, the ransomware needs to be let in by a system user, whether by clicking on a phishing email or responding to a bogus ad. The key there is to educate employees on these dangers and to shore up networks to deny access to a users’ personal email address or certain websites.
Many approaches and tools must be employed to fight the breach war. If not, at this time next year, our friends at the ITRC could be reporting a breach spike higher than 25% from 2016.