Data breaches take staggering leap in first half of 2017

Main culprit: misconfigured databases exposing user data that hackers easily exploit

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

For the most part, year-to-year this cen­tu­ry, sta­tis­tics about data breach­es have steadi­ly grown worse, and 2017 is no excep­tion. The mag­ni­tude of data breach­es is on track to exceed last year, based on a recent report by Risk Based Secu­ri­ty Inc.

Already, in the first six months of 2017, more than 6 bil­lion records have been exposed in 2,227 report­ed data breach­es, accord­ing to Risk Based Secu­ri­ty. This com­pares to just under 1.5 bil­lion exposed records in 2,316 report­ed inci­dents dur­ing the first half of last year.

Relat­ed pod­cast: Why the com­pa­nies and tech ven­dors need to make big changes to become tru­ly effective

If the pace con­tin­ues, this year can eas­i­ly sur­pass 2016, which saw 4,149 report­ed breach­es that exposed 4.2 bil­lion records (3.2 bil­lion more than the all-time high of 2013).

Inga God­di­jn, Risk Based Secu­ri­ty Inc. exec­u­tive vice president

I would love to say (2017) is an out­lier, but it’s real­ly a con­tin­u­a­tion of trends we’ve seen over the last few years,” says Inga God­di­jn, exec­u­tive vice pres­i­dent at Risk Based Secu­ri­ty Inc., which pro­vides secu­ri­ty intel­li­gence and ana­lyt­ics as well as cyber risk insurance.

The dri­ver behind this year’s high num­bers is data leaks that result­ed from mis­con­fig­ured data­bas­es, sev­er­al of them involv­ing Chi­nese com­pa­nies. God­di­jn says there’s more aware­ness about this issue, attract­ing both researchers and bad actors to look for the low-hang­ing fruit.

It doesn’t take a lot to find them (mis­con­fig­ured data­bas­es),” she says. “Researchers and mali­cious actors are look­ing for the data sets and either reveal­ing that they’ve been exposed to the inter­net or the world at large, or actu­al­ly have been com­pro­mised and dumped for oth­ers to use.”

Risk Based Secu­ri­ty assigns a sever­i­ty score, from 0.1 to 10, using cri­te­ria such as num­ber and type of exposed records, indus­try, threat vec­tor and num­ber of asso­ci­at­ed third par­ties. Among the four 2017 inci­dents it scored as 10 is Deep Root Ana­lyt­ics, which left 198 mil­lion U.S. vot­er records exposed because of a mis­con­fig­ured AWS database.

Many times, mis­con­fig­u­ra­tions are caused by data­base devel­op­ers, says Jake Kouns, Risk Based Security’s CISO. Instinc­tu­al­ly, one would think that increased aware­ness of the issue would help cur­tail the prob­lem. But, Kouns says, that’s not been the case.

Jake Kouns, Risk Based Secu­ri­ty Inc. CISO

The fact (the issues) con­tin­ue to remain uncor­rect­ed is fright­en­ing,” he says. “We try to report this to get the mes­sage out, but there’s still a big dis­con­nect from the mes­sage and peo­ple under­stand­ing they’re impact­ed and tak­ing action.”

Oth­er high­lights from the midyear data breach report:

• The busi­ness sec­tor account­ed for 56.5 per­cent of the report­ed inci­dents and 93 per­cent of records exposed. Soft­ware and web ser­vices led the sub­sec­tors in the num­ber of breaches.

• Hack­ing was respon­si­ble for 41.6 per­cent of breach­es and account­ed for 30.6 per­cent of exposed records.

• Four of the year’s breach­es made the top 10 list of all-time largest.

• Names, email address­es and phys­i­cal address­es were the top three types of records exposed, fol­lowed by pass­words and Social Secu­ri­ty numbers.

Unchanged from 2016 is the Unit­ed States lead­ing oth­er coun­tries in the num­ber of inci­dents. In the first six months, U.S. enti­ties account­ed for 61 per­cent of this year’s breach­es. God­di­jn says that most like­ly is due to U.S. breach-dis­clo­sure laws, espe­cial­ly since almost every state has one.

It’s dif­fi­cult to hide a breach of per­son­al­ly iden­ti­fi­able infor­ma­tion in the U.S. because there’s too many ways that it needs to be dis­closed, so there’s no get­ting around the fact,” she says.

In addi­tion to the grow­ing num­ber of exposed records, Risk Based Secu­ri­ty not­ed anoth­er trend. Accord­ing to a sep­a­rate report, the first half of 2017 showed a near­ly 30 per­cent increase in the num­ber of soft­ware vul­ner­a­bil­i­ties over the same peri­od in 2016. The 2017 num­ber rep­re­sents an all-time high.

Devel­op­ers are under a lot of pres­sure to build soft­ware and prod­ucts quick­ly,” Kouns says. “In a lot of cas­es, they aggres­sive­ly try to move things for­ward and secu­ri­ty becomes an afterthought.”

God­di­jn doesn’t see the trends chang­ing until every­one rec­og­nizes the true val­ue of data.

Infor­ma­tion is much more valu­able than we give cred­it, and breach­es are not going to stop until we start to rec­og­nize more the inher­ent val­ue of infor­ma­tion — and what it means to our busi­ness­es and orga­ni­za­tions, and our own per­son­al lives,” she says.

Kouns says it’s also a mat­ter of the entire sup­ply chain.

We will con­tin­ue to see breach­es unless we can con­tin­ue to hold our busi­ness part­ners, sup­pli­ers and soft­ware ven­dors account­able and make sure they’re imple­ment­ing secu­ri­ty,” he says. “There’s no way things will change with­out that.”

More sto­ries relat­ed to increase in data breaches:
Hack­ers cast a wider net in launch­ing cyber attacks
It’s time to close the secu­ri­ty loop­hole on unstruc­tured data
Com­pro­mised cre­den­tials still the cul­prit in many data breaches