Look no further than the recent Equifax breach (and now the developing Sonic breach) for evidence that hackers have become very successful at making their attacks large-scale, capturing more data than ever and for even longer periods of time. The result? Worldwide, payment-security technology provider Gemalto NV reports that 1.9 billion records were compromised by data breaches in 2017’s first half, up 164% from 721 million records compromised in the last six months of 2016.
In the U.S., Gemalto’s latest Breach Level Index Report tracked 918 breaches, up 13% from 815 in 2016’s second half. Some 22 of the 2017 breaches compromised 1 million or more records, and as of September 21st, the Identity Theft Resource Center has updated that tally to a total of 1,022 data breaches for 2017, with over 163 million breached records.
“It is stunning to see the steady increase in the number of breaches impacting one million or more records. In the first six months of 2013, 2014 and 2015, the number of these large breaches hovered in the mid-teens. Last year we saw that number jump to 28, and now, for the first six months of this year, we’re tracking 50 such incidents,” said Risk Based Security Executive Vice President Inga Goddijn.
Globally and within the U.S., data breaches are a rapidly-growing problem and are a major concern across many industries. What is even more problematic is that the breach figures only include the breaches that are publicly disclosed— suggesting the actual data breach figure is far above what this statistics show.
Of those breaches reported by cyber analytics firm Risk Based Security – their study reviewing data breaches on a global scale between January 1st and June 30th of this year – there are certain trends that data breaches are following, proving that hackers are getting smarter and going big in their attacks.
- Tax data a hot-ticket item: Hackers going after tax data is a new trend that has risen in 2017. Phishing attacks compromising W-2 data hit more than 200 incidents.
- Accounting firms and payroll service a key target: Organizations that aggregate data are a target for hackers. In one instance, 5.5 million job seekers’ personal data (including SSN#) were compromised.
- 2017 is setting data breach records: 4 of the breaches recorded (+6B records) were on the Top 10 list of all-time largest data breaches.
- Breaches are getting bigger and are concentrated: 10 breaches accounted for a majority of all records exposed (5.6B of the 6B exposed). 77% of the breaches came from just 10 countries.
- Social Security numbers are at an increased risk: Breaches impacting social security numbers grew to 26.1% in the first half of 2017 (up from 17.6% in 2016).
- Hacking remains the top cause of data breaches: Hacking accounts for 41% of data breaches.
- Skimming is a major cause of data breaches: 272 breaches in the first half of 2017 were a result of card reader skimming.
- Breach detection is still a major problem for most companies: Roughly 50% of the time, external parties alert companies to breaches and companies are not able to detect the incidents on their own. Of the 2,227 breaches in the report, only 443 were from internal sources.
How the Large-Scale Breaches Happen
If you take a look at the 10 largest breaches of all-time, featured in American Banker’s recent review, it shows the vulnerabilities the breached companies faced and the difficulties it took to uncover and resolve the breach. Many of these large-scale breaches took months, if not years, to discover and today, the breached organizations are still uncovering more layers of the breach that continue to affect the individual whose records were stolen.
These large-scale breaches have happened in a number of ways – from disgruntled employees stealing proprietary company information, to malware attacks on the Point of Sale (POS) system, to human error – and they have caused catastrophic damage to all involved. Here’s a recap of some of a few that made the top 10 largest breach list to-date.
- Yahoo suffered not one, but 2 of the largest breaches to date. The first breach was disclosed in Sept. 2016, affecting 500 million accounts. The second was made public 3 months later when Yahoo announced a separate breach, believed to be committed by separate actors, affecting 1 billion accounts. What is even more unbelievable is that 1st breach occurred in 2014 while the second happened in 2013 – not detected until years after the fact.
The severity of that breach, the second worst in internet history, was most likely magnified by the fact that it took some two years for Yahoo to disclose the initial attack. Had Yahoo taken more aggressive steps — for instance, asking users to change their passwords, or even expiring the passwords and forcing users to enter new ones — it might have prevented some of the damage.
- In May of 2014, thieves stole the credentials of three corporate Ebay employees, gaining access to 145 million accounts. Hackers used a phishing attack that would essentially attempt to trick eBay employees into giving up important security credentials that could then be used by attackers to infiltrate the site. An attacker might go to LinkedIn, for example, and look for employees of eBay. Using LinkedIn they could then get important names and correlate that data with social media posts, accounts, and other sites. The employee in question would then be sent an email with an embedded link to click on. When the link was executed, malware would be installed on the computer and the attacker would gain control of the machine in question.
One of the most interesting bits of information to come out of the eBay breach is that the attacker had complete access to their network for 229 days. That may seem like a long time, but in reality it’s quite short with regards to data breaches. With a data breach, the attacker needs to be careful to avoid getting detected for as long as possible.
- In 2011, hackers made off with information on 100 million members of Sony’s Playstation Now service, including gamers and those streaming music and video on the site. The service was even shut down for 3 weeks.
- Disclosed in stages and happening years apart, LinkedIn first announced in 2012 that 6.5 million user names and passwords were affected, but 4 years later, the firm announced a Russian hacker group named “Peace” was selling emails and passwords of 117 million users from the 2012 hack.
- And who could forget the large breach of retail giant Target. Disclosed at the end of 2013, Target first said that 40 million credit and debit card numbers had been stolen due to hackers infiltrating their POS system with malware. The follow-up shortly after that revealed contact info of 70 million had also been taken.
The Repercussions of the Large-Scale Breach
Let’s just say there are many repercussions to data breaches – stolen identities, lost consumer confidence, millions of dollars in damages to the breached company involved, and years of data breach clean-up to name a few.
More than ever, top officials of breached companies are finding themselves caught in the hot seat, trying to explain how the breach occurred and how that company can recover. As hackers continue to get smarter, the questions surrounding a breach only seem to get more complex – and the answers, more difficult to provide.
Take the latest and potentially worst ever data breach with Equifax. The company has faced immense criticism for its lack of breach detection and then once detected, its lack of remediation of the breach and consumer notification. And to top it all off, it was recently uncovered that employees were unwittingly sending Equifax customers to a phishing website for information on the breach.
The fallout immediately became too much for the C-level Equifax suite and board members are decimating the executive management team, including the company’s CIO, the CSO and now the CEO. As Tom Clerici of Arraya writes, all segments of a business must care about the potential for a data breach:
All too often I see the IT department out on a ledge fighting for money and staff to secure the business channels that are too busy to bother with it. I get it – security is expensive, complicated, inconvenient, and boring. It’s also intangible in that you can’t see the value until there’s a major problem, so it’s easy to ignore or procrastinate. Passing the buck to IT is the easiest way out. Unfortunately, we live in a world now where ignoring security can put you out of business so, like it or not, the business must care. These breaches have become so public that CEOs can no longer hide behind the complexity of IT for not knowing they are at risk. It’s the executive team’s responsibility to understand the risk and costs to remediate it, which in many cases will require not just money, but culture change.
In next week’s blog, we will take a look at what experts suggest that companies do before and after a data breach. While you can almost never shore up every single network, firewall and entrance in, technologies exist today such P2PE and tokenization to mask sensitive data – or as we like to say at Bluefin: Devalue the Data.