Are the hackers winning? 2014 is shaping up as a record year in security breaches
Hackers have been busy in 2014. According to a Data Breach QuickView report by Risk Based Security (RBS), the first half of 2014 has already surpassed the record set across all of 2013 for the number of consumer records exposed.
The company writes, “Mid-year 2014 data breaches exposed over 502 million records far exceeding the mid-year point in 2013, the previous all-time record setting year... and the recently reported exposure of 1.2 billion email addresses and usernames has not been included.”
This news comes weeks after Target released an analysis of the cost of its 2013 breach which, at 110 million records exposed, was the seventh largest breach in history and and was surely among the most-widely publicized. The final tally: $148 million, plus an incalculable loss of consumer trust. The incident, and a confidence eroding response by management, also ended up cost the company its CEO and CIO.
If you’re looking for some consolation, the closest thing in the RBS report is that the total number of hacking incidents in 2014, which stood at 1,331 through the first six months, is likely to fall short of the all-time record set in 2012 of 3,195. So while incidents may be declining, ever so slightly, the average single breach is growing larger. That's a somewhat misleading takeaway, however as 61.7 percent of all incidents exposed less than 1,000 records, while 10 incidents each exposed more than 1 million.
The largest breach in history occurred in June of this year with the NYC Taxi & Limousine Commission – Uber's favorite foe – exposing a staggering 173 million records. This year also featured the fourth and eight largest breaches in history, in eBay's loss of 145 million records and Korea Credit Bureau's exposure of 104 million.
“Compared to the same time period for 2013, there has been a 59% increase in the number of breaches caused by hacking and a 46% increase in the number of records compromised,” says Risk Based Security CEO Barry Kouns. “Clearly hackers are taking advantage of existing vulnerabilities wherever they can be found, and they can apparently be found everywhere.”
Kouns later adds, “It’s hard to find a bright-side. Already 2014 has added three incidents to the “Top 10” data breaches all time, taking over the number one, four and eight spots. ... when you analyze the data breaches, you see that twenty-three organizations were breached more than once this year alone.“
According to the RBS report, 57 percent of breaches exposed usernames, passwords and email addresses 70.1 percent exposed at least passwords, as of the midpoint of this year. The hackers haven’t played favorites, targeting nearly all industries and company sizes. The so-called “business sector” suffered 54.9 percent of all breaches, whereas government saw 16.1 percent, education 8.7%, and medical at 8.5 percent – the catch-all unknown category included 11.8 of all breaches.
US businesses and entities have been responsible for just 39.6 percent of all incidents recorded this year, but have accounted for 74.3 percent of the exposed records.
The takeaway seems to be that if you have consumer data or corporate IP of any kind connected to an external network – meaning nearly every company or organization in the world – you will be targeted at some point, and likely already have. According to the 2013 Mandiant Threat Landscape report, advanced hackers are able to remain inside a breached network for a median of 243 days before being detected. In other words, just because you’re not aware of a breach, doesn’t mean it hasn’t happened.
Any company that doesn’t do everything in its power to monitor for and protect against these attacks will get what it deserves. Consumers, on the other hand, have far less power to protect their data in the hands of large corporations. Welcome to the brave new (connected) world where he world’s most nefarious criminals are always just a fiber-optic cable away.