[BreachExchange] Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019

Destry Winant destry at riskbasedsecurity.com
Wed Aug 21 10:07:47 EDT 2019


According to Risk Based Security research newly published in the 2019
MidYear QuickView Data Breach Report, the first six months of 2019
have seen more than 3,800 publicly disclosed breaches exposing an
incredible 4.1 billion compromised records.

Perhaps even more remarkable is the fact that 3.2 billion of those
records were exposed by just eight breaches. As for the exposed data
itself, the report has email (contained in 70% of breaches) and
passwords (65%) at the top of the pile.

Digging deeper into the data breach report

Although it would be easy to get hung up upon those alarming headline
numbers from eight breaches, it's vital that the bigger picture being
revealed by the smaller detail isn't lost from view.

"The majority of breaches reported this year had a moderate to low
severity score," the report stated and exposed 10,000 or fewer

This is important because many businesses wrongly assume they are too
small to be on the radar of the threat actors. The truth is that it is
all about the data, and small businesses often have less well-guarded
data stores.

Your average cyber-criminal is lazy and will scrape up any data
exposed by running automated online scripts looking for unsecured
databases. The big breaches make the headlines, but bread and butter
everyday incidents make the money for most threat actors out there.

Businesses must do better when it comes to data protection

Businesses of all sizes need to get their security act together, with
the business sector accounting for 67% of the reported breaches and
84.6% of the exposed records according to the report.

It doesn't take a genius to work out that something has gone very
wrong as far as data security is concerned. Just scanning through the
headlines on Forbes is confirmation enough of that: Popular Porn Site
Breach Exposed 1.2 Million “Anonymous” User Profiles, CafePress
Hacked, 23M Accounts Compromised. Is Yours One Of Them?, Lenovo
Confirms 36TB Data Leak Security Vulnerability, 2 Billion Records
Exposed In Massive Smart Home Device Breach and Here’s How 2.3 Billion
Files And 11 Million Photos, ‘Private’ Ones Included, Were Exposed
Online to name but a handful.

Going back to Infosecurity basics

My advice to every business would be to start with the basics and put
your effort into getting them right before getting all "rabbit in the
headlights" over the latest AI-driven, blockchain-enabled product
promise. Basics such as ensuring your databases and services are not
misconfigured, leaving the doors to your data wide open to attackers.

"149 of the 3,813 incidents reported this year," the report found,
involved misconfigured databases and services, and "exposed over 3.2
billion records." It uses the example of the Unistellar campaign
which, the researchers stated, has been credited with "wiping the
contents of more than 12,500 unprotected MongoDB databases, leaving
behind nothing more than a brief note with contact information for

Security awareness training is key

Another basic that is often implemented poorly, if at all, is security
awareness training. "Quarter after quarter the pattern has repeated
itself," Inga Goddijn, executive vice president at Risk Based Security
said, continuing "unauthorized access of systems or services, skimmers
and exposure of sensitive data on the Internet have been the top three
breach types since January of 2018. However, insider actions, both
malicious and accidental, have driven the number of records exposed."

The insider threat is amplified by a press release that landed in my
inbox as I was writing this article. That release, from people-centric
security vendor Egress, revealed figures sourced using a Freedom of
Information request to the UK Information Commissioner's Office.

Those figures suggest that 60% of the 4856 personal data breaches
reported to the ICO in the first half of 2019 were the result of human
error. The press release stated that 43% were the result of incorrect
disclosure and 20% posting or faxing data to the wrong recipient.
Emailing information to incorrect recipients or failing to use the Bcc
function accounted for 18%, while 5% were caused by providing data in
a response to a phishing attack.

"All too often, organizations fixate on external threats, while the
biggest cause of breaches remains the fallibility of people and an
inherent inability of employees to send emails to the right person,"
Tony Pepper, CEO at Egress, said. "Not every insider breach is the
result of reckless or negligent employees, but regardless, the
presence of human error in breaches means organizations must invest in
technology that works alongside the user in mitigating the insider
threat," Pepper concluded.

More information about the BreachExchange mailing list