[BreachExchange] Data Breaches Lead To Over 1 Billion Records Exposed In The First Half of 2016

[Inga Goddijn]

https://www.riskbasedsecurity.com/2016/08/data-breaches-lead-to-over-1-billion-records-exposed-in-the-first-half-of-2016/

Risk Based Security and RPS Executive Lines are pleased to announce the
release of the latest installment of the Data Breach QuickView Report. The
MidYear 2016 Report shows that, while the number of data breaches for the
year is down approximately 17% compared to the same time last year, the
number of records compromised is off the charts, with over 1.1 billion – *yes
billion* – records exposed in the first six months of 2016. With another 6
months still to go, this year is already the worst year on record for the
amount of sensitive information compromised.

[image: Get Copy Of The Mid Year 2016]
<https://pages.riskbasedsecurity.com/2016-midyear-data-breach-year-in-review>

Looking at the numbers, we can’t help but ask “How did this happen?!?” A
deeper examination of the breaches behind the numbers reveals several
interesting trends including:

   - Attackers continue to have success using tried and true techniques
   - Misconfigured databases continue to serve up large amounts of data
   - Reusing log-in credentials across multiple sites can have cascading
   effects across many organizations

The first few months of the year proved just how successful tried and true
attack methods can be. Whether it’s called Business Email Compromise, CEO
fraud, spoofing or spear phishing, a wave of well-crafted and well-targeted
fraudulent emails asking for sensitive information has produced exceptional
results. Approximately 150 organizations in the U.S. reported giving up
confidential information to fraudsters when unsuspecting employees
responded to requests for information. The bulk of the attacks targeted W-2
data – including employee names, addresses, Social Security numbers and
wage details – and occurred early in the year just ahead of the tax filing
deadline. Although the frequency of disclosures has abated since the
spring, incidents continue to be reported with companies like Gamesa Wind
<http://ago.vermont.gov/assets/files/Consumer/Security_Breach/Games%20Wind%20SBN%20to%20Consumers.pdf>
and Krispy Kreme Doughnuts
<http://www.journalnow.com/business/business_news/local/krispy-kreme-deals-with-phishing-incident/article_d623a87c-80c5-50c3-a4f2-cf5107102ec7.html>
disclosing incidents as late in the quarter as June 27th.

The problem of open, unprotected databases which we have reported
<https://www.riskbasedsecurity.com/2016/07/redis-over-6000-installations-compromised/>
on
previously
<https://www.riskbasedsecurity.com/2016/07/thomson-reuters-world-check-terrorist-database-open-for-the-world-to-view/>
may be as old a problem as phishing for data. But unlike their
phishing-victim counterparts, the number of organization reported to be
leaking sensitive data in the first half of the year was well under 150.
However, where each phishing attack averaged 2,432 records lost per breach,
unsecured databases tended to serve up more significant amounts of
information.

One of the largest unsecured database breaches to come to light this year
impacted 93.4 million Mexican citizens, when MacKeeper security
researcher, Chris
Vickery, discovered a misconfigured MongoDB hosted on AWS
<https://mackeeper.com/blog/post/217-breaking-massive-data-breach-of-mexican-voter-data>
servers located in the United States. The leak exposed voter details beyond
name and address, including dates of birth, occupation and some national
identification numbers. Unfortunately Mexico was not alone this year when
it comes to open voter databases. A client of a data services company L2
<http://www.l2political.com/>, had their own experience with an exposed
database, this time impacting 154 million U.S. voters. The CouchDB database
belonging to the unnamed client was apparently left open after hackers took
down the firewall protecting the database
<http://www.dailydot.com/layer8/154-million-voter-files-exposed-l2/>. It
remains unknown whether the data was taken or merely left open and
unprotected. Either way, 247 million identities were put at risk by just
two incidents.

It has long been known that username and password leaks at one organization
can lead to hijacked accounts at a different company. Like phishing and
poorly protected databases, using stolen credentials to gain access to
valuable information is nothing new. Also like phishing and leaky
databases, the first half of the year has seen the problem reach new
heights. Mega credential breaches like the ones at MySpace, iMesh, Tumblr,
and the 100 million plus additional credentials from the 2012 LinkedIn
breach lead to very real consequences for the likes of TeamViewer
<http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/>,
Carbonite
<https://www.carbonite.com/en/cloud-backup/business/resources/carbonite-blog/carbonite-password-attack/>
and GoToMyPC <http://status.gotomypc.com/incidents/s2k8h1xhzn4k>. Each of
these organizations were hit with “password re-use attacks”, compromising
an unknown number of user accounts. While official statements and
spokespersons were quick to point out their own security was not breached,
that fact is little comfort to those that had their accounts accessed.
Likewise, the incidents also triggered large-scale password reset
procedures, keeping security teams and administrators alike occupied with
the response effort.

The research from the Quickview Report suggests that the old epigram “the
more things change, the more they stay the same” continues to ring true
when it comes to data breaches. Attackers continue to rely on current
successful strategies, even when those strategies are as simple as a well
crafted phishing email or preying on the habit of recycling comfortable,
easy to remember passwords. Likewise, we do ourselves few favors when we
fail to take reasonable and necessary steps to protect our most valuable
information assets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160831/51299bda/attachment.html>