Last year set the record for both the most breaches and the most data compromised in a year, as several new trends (like a surge in cloud storage misconfigurations) characterized the proceedings.
According to Risk Based Security’s 2017 Data Breach QuickView Report, there were 5,207 breaches recorded last year, surpassing the previous high mark by nearly 20%, set in 2015. The number of records compromised also surpassed all other years, with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.
“The level of breach activity this year was disheartening,” said Inga Goddijn, executive vice president for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18 came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”
The increased level of breach activity has been observed by the cyber-insurance industry as well. Manny Cho, EVP at Risk Placement Services, a national insurance brokerage and sponsor of the Year End QuickView Report, added: “The use of malware and ransomware, such as WannaCry and NotPetya, impacted companies and individuals across the globe. While large breaches continue to grab the headlines, SMEs [small and medium-sized enterprises] are losing money and assets to hacker organizations every day thanks to increased phishing and spoofing attacks.”
In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, web breaches - which are largely composed of accidentally exposing sensitive data to the Internet - took over the top spot, compromising 69.2%, or 5.4 billion records.
Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the No. 2 spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.
“We’re seeing a lot of interest in calling out organizations that mishandle sensitive data,” said Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”
A prime example of this is an August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately, the letter shop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information. The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million to settle the various proceedings.
“While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action,” the firm noted in its report.
Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728, or 18.6%, were discovered by the organization responsible for protecting the data. The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers or unrelated parties, including disclosure by the malicious actors themselves.
“While there is not a direct correlation between discovery method and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization,” the report said.