Data Breaches: What Do the Numbers Mean?

Another day, another data breach. But what are the trends? Here’s a closer look at Risk Based Security’s 2018 data breach report, along with some analysis, wider context and thoughts on what we can learn from the metrics.

by / February 17, 2019

Risk Based Security came out with their annual data breach report this past week. Overall, 2018 brought the second-highest number of reported data breaches of any year on record.

“It’s been an unusual year for breach activity,” commented Inga Goddijn, executive vice president of Risk Based Security. “We’ve been monitoring breach events for more than a dozen years now and this is the first time we’ve observed a slow start to the year following by a growing number of disclosures as the months pass. We suspect various factors including the allure of crypto mining had an impact on breach activity early in the year, but disclosures rebounded throughout the summer and into the last quarter.”

The full report is available by visiting their website here.

Goddijn said of the work, “we were curious to see if the General Data Protection Regulation (GDPR) would have a discernible impact on how long it takes for an organization to go public with a breach report.” Curiously, the average number of days between discovery and disclosure has been approximately 49 days for the past two years. Goddijn commented, “From 2014 until 2017, the average number of days had been declining. We assumed awareness of GDPR reporting requirements would put pressure on organizations to continue to close the gap. So it was surprising to see 2018 end at an average of 49.6 days, slightly above 2017’s average of 48.6 days.”

Here are a few of the highlights:   

  • 2018 came in as the second most active year for publicly disclosed breaches, missing 2017’s high mark by only 3.2%.
  • 6,515 breaches were reported through December 31, 2018, exposing approximately 5 billion
  • Compared to 2017, the number of reported breaches was down 3.2% and the number of exposed records was down approximately 35.9% from 7.9 billion.
  • Of the breached organizations that could be definitively classified, the Business sector accounted for 66.2% of reported breaches, followed by Government (13.9%), Medical (13.4%) and Education (6.5%).
  • 12 breaches exposed 100 million or more records, only one less than 2017’s thirteen breaches exposing 100 million or more records. These 12 breaches accounted for 74% of all records exposed in 2018.
  • The Business sector accounted for 65.8% of the records exposed followed by Unclassified at 31.8% and Government at 2.2%. The Medical and Education sectors combined accounted for 9.9 million records exposed, or less than 0.02% of the total records exposed in the year.
  • Web regained the top spot for the breach type exposing the most records, accounting for 3% of compromised records, while Hacking remained the top breach type for number of incidents, accounting for 57.1% of reported breaches.
  • 5% of breached organizations were unwilling or unable to disclose the number of records exposed.

Data Breaches by Year, Sector and Source

Here are some of the specifics behind the data in chart form, as compared to previous years:

I find it interesting that government reported far fewer data breaches than business, but the largest category was unknown.

The breach types and sources of the data breaches are also very interesting.

 

Also, the threat vectors used (internal or external) and outside versus inside are very interesting.

Other Sources on Data Breaches

I find this data breach data to be helpful when the proper context surrounds the data. I also like to look at a variety of different perspectives on data breaches, such as this Gemalto report from 2018 which chronicles 3.3 billion records lost in the first half of 2018.   

  • Staggering 72 percent increase in stolen, lost or compromised records over H1 2017
  • Social media incidents account for over 76 percent of records breached
  • 65 percent of data breach incidents involved identity theft

It is also important to realize that different reports use different definitions and methods, so not all the numbers match-up perfectly. I point out some of those security industry metrics problems and other sources in this article.

Forbes Take on 5 Data Breaches in 2018

Back in December, this article in Forbes magazine online broke down the details in five large data breaches in 2018.  

Those data breaches included Facebook, Marriott, Quora, British Airways and Ticketmaster. I encourage you to see their analysis on each breach in the article.

Here’s an excerpt on what they think some takeaways are:

“After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.

 As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data."

Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.

"They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover — or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO.”

Closing Thoughts

I must admit that I hesitated when considering whether to write this blog. Don’t get me wrong, I think Risk Based Security did an excellent job, and these other industry reports on data breaches are also important.

And yet, I think the press has become so obsessed with data breaches, that these reports and headlines are getting less and less meaningful attention from the public.

On the other end of the spectrum, I think security pros are fighting a fear, uncertainty and doubt (FUD) addiction that plays-out in many ways. Numerous bloggers just send out report after report on the latest data breaches, until most reports are filed and we move on — unless there is something new, different or record-breaking that is announced.  

Bottom line, many are now numb to data breaches, and technology pros often go out of their way to talk about something else. 

Nevertheless, I do think the trends, details, sources and overall metrics can be helpful. I have not written a blog on data breaches in a long time, and it was time.

I encourage you to read the reports and analyze the data. Determine what the numbers mean in your context to your enterprise or situation.

But most of all, do your best to turn these data breach lemons into lemonade — and help stop future data loss.  

Platforms & Programs