[BreachExchange] 2019: A Banner Year (And Bumper Data Crop) For Hackers

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 31 20:42:19 EST 2019


It’s the list no one likes to be on.

It’s kind of like being on the “worst dressed list” except that we’re
talking about stolen data and, probably, lots of lawsuits.

Welcome, then, to the Top Data Breaches of 2019.

The readings are pretty grim. At a high level, the numbers are staggering.
Millions of accounts hacked. Billions of records accessed. Thousands of

In data coming into the end of the year, Risk Based Security said hackers
had accessed 7.9 billion records into the last few months of the year, and
they were on track to access 8.5 billion records across more than 5,100
attacks — meaning through the first nine months of the year (the estimate
as of this writing), the number of breaches grew by 33 percent.

We can slice and dice the breaches in any number of ways. But perhaps one
view that illustrates how vulnerable some companies are in a “smash and
grab” is to show how many records were hacked. The fraudsters, after all,
feast on data, and data lie within the records. Get enough records together
and it becomes easier to cobble together synthetic identities.

As has been documented here, fraudsters always look for the path of least
resistance, and taking bits and pieces of disparate information can help
them stitch together new personas that go on to drain accounts, take out
loans, and even establish entire credit profiles that can exist for years.

The hacks are not confined to industry verticals or to data type. In some
cases, it’s not easy to put a dollar amount on the breaches because fines
have not accrued, suits may not have been filed, and the true extent of
damage is not yet known.

We are making a distinction between data that is exposed (and is
vulnerable) versus data that is breached (where data have been accessed and
extracted by targeted efforts). In many cases, the bad guys have advertised
stolen data for sale on the dark web.

We are also making a distinction between hacks that were announced during
the year, such as the gargantuan disclosure by Marriott that hackers
accessed 383 million guest records, but the attacks were in 2018.

Size and Scope

To get a sense of size and scope, among the biggest breaches of the year
include the one seen at Facebook, as reported near the end of December, and
where a database with 267 million user IDs, phone numbers and names was
left unsecured — and accessed by hackers. According to reports and as noted
in this space, the data reportedly may have been accessed through
manipulation of the social media giant’s API.

Zynga, the mobile gaming company, saw another large breach with 218 million
records hacked. In a statement in September, the company said “cyber
attacks are one of the unfortunate realities of doing business today. We
recently discovered that certain player account information may have been
illegally accessed by outside hackers.”

The attacks affected consumers who had played games like “Words with
Friends.” Among the data taken were account login information, and as
reported by sites such as CNBC, Facebook IDs, too.

High tech — the social media kind — also proved to be a lure for hackers,
and where cumulatively 617 million records went on sale on the dark web in
February for about $20,000 in bitcoin. Records hacked from video messaging
app Dubsmash topped 161 million. The records stolen ranged from email
addresses to passwords. Additionally, MyFitnessPal had 151 million records
hacked, and MyHeritage had 92 million.

Capital One loomed large this year, as a significant data breach reported
in July saw fraudsters access more than 100 million records — and reports
said the data was tied to Americans and Canadians who had applied for
credit cards over the span of more than a decade and a half — dating back
to 2005. Data compromised included email addresses, Social Security numbers
and bank information.

Separately, around 11.9 million records were compromised and exposed in a
data breach of American Medical Collection Agency — a collector for Quest
Diagnostics and UnitedHealth Group. Hackers took data spanning bank
accounts, Social Security numbers, credit cards and personal information.

The Costs

Beyond (perhaps immeasurable) hits to reputation, there’s financial impact
associated with the breaches. IBM estimated this year in its annual study
of that impact, the cost of a data breach has risen by 12 percent over the
past 5 years. The breaches now cost $3.92 million on average. Drill down a
bit, and the impact of the largest breaches becomes apparent: IBM said
breaches of more than 1 million records cost companies about $42 million in
losses, and those with at least 50 million records see costs of around $388

Goodbye, then, to 2019, and as 2020 dawns, unfortunately, there’s no reason
to expect the battle against the hack attacks is going to get any easier.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191231/35da603f/attachment.html>

More information about the BreachExchange mailing list