Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019
According to Risk Based Security research newly published in the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 have seen more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.
Get started on your cybersecurity degree at American Military University.
Perhaps even more remarkable is the fact that 3.2 billion of those records were exposed by just eight breaches. As for the exposed data itself, the report has email (contained in 70% of breaches) and passwords (65%) at the top of the pile.
Digging deeper into the data breach report
Although it would be easy to get hung up upon those alarming headline numbers from eight breaches, it’s vital that the bigger picture being revealed by the smaller detail isn’t lost from view.
“The majority of breaches reported this year had a moderate to low severity score,” the report stated and exposed 10,000 or fewer records.
This is important because many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores.
Your average cyber-criminal is lazy and will scrape up any data exposed by running automated online scripts looking for unsecured databases. The big breaches make the headlines, but bread and butter everyday incidents make the money for most threat actors out there.
Businesses must do better when it comes to data protection
Businesses of all sizes need to get their security act together, with the business sector accounting for 67% of the reported breaches and 84.6% of the exposed records according to the report.
It doesn’t take a genius to work out that something has gone very wrong as far as data security is concerned. Just scanning through the headlines on Forbes is confirmation enough of that: Popular Porn Site Breach Exposed 1.2 Million “Anonymous” User Profiles, CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?, Lenovo Confirms 36TB Data Leak Security Vulnerability, 2 Billion Records Exposed In Massive Smart Home Device Breach and Here’s How 2.3 Billion Files And 11 Million Photos, ‘Private’ Ones Included, Were Exposed Online to name but a handful.
Going back to Infosecurity basics
My advice to every business would be to start with the basics and put your effort into getting them right before getting all “rabbit in the headlights” over the latest AI-driven, blockchain-enabled product promise. Basics such as ensuring your databases and services are not misconfigured, leaving the doors to your data wide open to attackers.
“149 of the 3,813 incidents reported this year,” the report found, involved misconfigured databases and services, and “exposed over 3.2 billion records.” It uses the example of the Unistellar campaign which, the researchers stated, has been credited with “wiping the contents of more than 12,500 unprotected MongoDB databases, leaving behind nothing more than a brief note with contact information for restoration.”
Security awareness training is key
Another basic that is often implemented poorly, if at all, is security awareness training. “Quarter after quarter the pattern has repeated itself,” Inga Goddijn, executive vice president at Risk Based Security said, continuing “unauthorized access of systems or services, skimmers and exposure of sensitive data on the Internet have been the top three breach types since January of 2018. However, insider actions, both malicious and accidental, have driven the number of records exposed.”
The insider threat is amplified by a press release that landed in my inbox as I was writing this article. That release, from people-centric security vendor Egress, revealed figures sourced using a Freedom of Information request to the UK Information Commissioner’s Office.
Those figures suggest that 60% of the 4856 personal data breaches reported to the ICO in the first half of 2019 were the result of human error. The press release stated that 43% were the result of incorrect disclosure and 20% posting or faxing data to the wrong recipient. Emailing information to incorrect recipients or failing to use the Bcc function accounted for 18%, while 5% were caused by providing data in a response to a phishing attack.
“All too often, organizations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person,” Tony Pepper, CEO at Egress, said. “Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organizations must invest in technology that works alongside the user in mitigating the insider threat,” Pepper concluded.