Data breaches take staggering leap in first half of 2017
Main culprit: misconfigured databases exposing user data that hackers easily exploit
By Rodika Tollefson, ThirdCertainty
For the most part, year-to-year this century, statistics about data breaches have steadily grown worse, and 2017 is no exception. The magnitude of data breaches is on track to exceed last year, based on a recent report by Risk Based Security Inc.
Already, in the first six months of 2017, more than 6 billion records have been exposed in 2,227 reported data breaches, according to Risk Based Security. This compares to just under 1.5 billion exposed records in 2,316 reported incidents during the first half of last year.
If the pace continues, this year can easily surpass 2016, which saw 4,149 reported breaches that exposed 4.2 billion records (3.2 billion more than the all-time high of 2013).
“I would love to say (2017) is an outlier, but it’s really a continuation of trends we’ve seen over the last few years,” says Inga Goddijn, executive vice president at Risk Based Security Inc., which provides security intelligence and analytics as well as cyber risk insurance.
The driver behind this year’s high numbers is data leaks that resulted from misconfigured databases, several of them involving Chinese companies. Goddijn says there’s more awareness about this issue, attracting both researchers and bad actors to look for the low-hanging fruit.
“It doesn’t take a lot to find them (misconfigured databases),” she says. “Researchers and malicious actors are looking for the data sets and either revealing that they’ve been exposed to the internet or the world at large, or actually have been compromised and dumped for others to use.”
Risk Based Security assigns a severity score, from 0.1 to 10, using criteria such as number and type of exposed records, industry, threat vector and number of associated third parties. Among the four 2017 incidents it scored as 10 is Deep Root Analytics, which left 198 million U.S. voter records exposed because of a misconfigured AWS database.
Many times, misconfigurations are caused by database developers, says Jake Kouns, Risk Based Security’s CISO. Instinctually, one would think that increased awareness of the issue would help curtail the problem. But, Kouns says, that’s not been the case.
“The fact (the issues) continue to remain uncorrected is frightening,” he says. “We try to report this to get the message out, but there’s still a big disconnect from the message and people understanding they’re impacted and taking action.”
Other highlights from the midyear data breach report:
• The business sector accounted for 56.5 percent of the reported incidents and 93 percent of records exposed. Software and web services led the subsectors in the number of breaches.
• Hacking was responsible for 41.6 percent of breaches and accounted for 30.6 percent of exposed records.
• Four of the year’s breaches made the top 10 list of all-time largest.
• Names, email addresses and physical addresses were the top three types of records exposed, followed by passwords and Social Security numbers.
Unchanged from 2016 is the United States leading other countries in the number of incidents. In the first six months, U.S. entities accounted for 61 percent of this year’s breaches. Goddijn says that most likely is due to U.S. breach-disclosure laws, especially since almost every state has one.
“It’s difficult to hide a breach of personally identifiable information in the U.S. because there’s too many ways that it needs to be disclosed, so there’s no getting around the fact,” she says.
In addition to the growing number of exposed records, Risk Based Security noted another trend. According to a separate report, the first half of 2017 showed a nearly 30 percent increase in the number of software vulnerabilities over the same period in 2016. The 2017 number represents an all-time high.
“Developers are under a lot of pressure to build software and products quickly,” Kouns says. “In a lot of cases, they aggressively try to move things forward and security becomes an afterthought.”
Goddijn doesn’t see the trends changing until everyone recognizes the true value of data.
“Information is much more valuable than we give credit, and breaches are not going to stop until we start to recognize more the inherent value of information — and what it means to our businesses and organizations, and our own personal lives,” she says.
Kouns says it’s also a matter of the entire supply chain.
“We will continue to see breaches unless we can continue to hold our business partners, suppliers and software vendors accountable and make sure they’re implementing security,” he says. “There’s no way things will change without that.”
More stories related to increase in data breaches:
Hackers cast a wider net in launching cyber attacks
It’s time to close the security loophole on unstructured data
Compromised credentials still the culprit in many data breaches