When news broke in December of a massive data breach at Yahoo, it was met with a collective “This, again? Didn’t they just report a breach?” The company had, in fact, reported a record-breaking breach of 500 million user accounts three months earlier, but it was dwarfed by the December breach, which impacted over 1 billion records.
That pair of record breaking breaches was a fitting way to cap off a year marked by massive data breaches. As security intelligence provider Risk Based Security points out in its newly-released 2016 Data Breach Trends report, “six 2016 breaches have taken their place on the Top 10 List of All Time Largest Breaches.”
By many measures, and not surprisingly, the data breach trend story for 2016 is one of explosive growth in the number of records exposed, from 822 million in 2015 to over 4.2 billion in 2016 — and “approximately 3.2 billion more records than the previous all-time high exposed in 2013.”
While the number of records exposed was far higher in 2016 than the year prior, the RBS report found that the total number of incidents declined from 4,326 in 2015 to 4,149 in 2016. Inga Goddijn, executive vice president of Risk Based Security, offered a couple of explanations for the decline in one measure and the growth in the other.
One explanation is that attackers were more targeted in their efforts. "[W]e also saw a number of successful targeted attacks using fairly straightforward methods, like the wave of phishing attacks targeting W2 data. Phishing is nothing new but scammers refined their approach — quite successfully — targeting HR personnel during the height of tax data preparation season. Over 100 companies and their employees were victims of this type of scam, resulting in data being used in fake tax return schemes," said Goddijn.
Another explanation, however, is that year by year counts are inherently tricky and are as much an accident of categorization as anything. "This year, there were a handful of data thefts that occurred in prior years but only came to light in this year," says Goddijn. "The two incidents at Yahoo are good examples. The first breach, impacting 500 million records, originated from an intrusion taking place at least as far back as 2014. The second event, compromising over 1 billion records, is believed to have resulted from an intrusion taking place in 2013 or possibly earlier. What is alarming about these types of events is that they were not detected earlier. In fact, the second, larger breach at Yahoo may not have been discovered at all had the first incident not triggered a deeper investigation."
Phwishing, skimming rise; hacking holds ground
In its 2015 report, RBS found that hacking was by far the top breach type, accounting for 2,540 incidents. Again in 2016 hacking took the top spot with 2,213 incidents, but it ceded some ground to other types of breaches.
For example, phishing, which was used in just 36 incidents in 2015 (not even making the top 10 list), was the third most common breach type in 2015, with 203 incidents.
"One of our key findings this year is if you go looking for the breach, chances are you will find it," says Goddijn.
Goddijn says skimming is a good example of this. RBS's 2015 report noted that skimming at gas pumps was rising and impacting the energy sector. That year skimming was the second most common breach type, used in 270 incidents. In 2016, skimming was again the second most common breach type, but had increased its share to 482 incidents.
"Several states launched investigations into skimming activity, sending investigators into the field to inspect gas pumps. That played a role in the increase number of skimming reports we saw this year," says Goddijn. "Close inspection of pumps led to more skimming device discoveries. Clearly, a skimming event isn’t quite on par with responding to a large network intrusion, but it does illustrate the point that really, any organization that has data of value can be targeted."
Table 1: Top 10 incidents by breach type
Taking a second swing
In 2016, 123 organizations reported multiple data breaches, Yahoo and Mossack Fonseca among them.
While RBS notes that it’s “always challenging to draw definitive conclusions as to why some organizations experience multiple data loss events,” there are a number of factors that play a role.
One such factor, which RBS noted in its 2015 report, is that “organizations that appear not to be learning from their mistakes.” That year, 37 government agencies were among the multiple incident organizations.
But, as Goddijn points out, in 2016 there was also "no shortage of events that were the result of simply being an easy target. The misconfigured databases are a prime example. It’s a well established fact that there are hundreds — if not thousands — of open, unsecured databases to be found using search engines like Shodan. Leaving the virtual 'front door' to data wide open certainly does make for an easy target. That said, it would not be fair to characterize all organizations experiencing multiple breaches as 'easy targets'. Some organizations face more attacks simply by virtue of who they are or the data they have. When you’re facing ongoing, relentless attacks, chances are sooner or later one or more will be successful."
Risk Based Security based its report on breach data gathered by its own proprietary application as well as news feeds, blogs, and other websites, as well as information obtained through Freedom of Information Act (FOIA) requests.
For more 2016 data breach trends, download the full report.