[BreachExchange] 2018 Was Second-Most Active Year for Data Breaches

[Destry Winant]

https://www.darkreading.com/threat-intelligence/2018-was-second-most-active-year-for-data-breaches/d/d-id/1333875

Hacking by external actors caused most breaches, but Web intrusions
and exposures compromised more records, according to Risk Based
Security.

More than 6,500 data breaches were reported in 2018, a new report from
Risk Based Security shows.

The breaches, both big and small, were reported through Dec. 31, 2018
— marking a 3.2% decline from the 6,728 breaches reported in 2017 and
making it the second-most active year for data breaches on record.
Some 5 billion records were exposed, or about 36% less than the nearly
8 billion records exposed in breaches in 2017. In addition, more
records were compromised last year than in any previous year than 2017
and 2005.

As has been the case previously, a handful of mega breaches accounted
for a vast proportion of the compromised records. In 2018, the 10
largest breaches accounted for approximately 3.6 billion exposed
records — or a startling 70% of the total. In all, 12 breaches in 2018
exposed at least 100 million records. Organizations that disclosed the
largest breaches last year included Facebook, Under Armor, Starwood
Hotels, and Quora.

For a vast majority of breaches, however, the number of exposed
records was 10,000 or less — as has been the case since at least 2012.

The medical and education sectors, often denigrated for having poor
security, ironically enough exposed far fewer records than other
supposedly more secure sectors. Risk Based Security's analysis shows
that financial services companies, technology firms, retailers,
restaurants, hotels, and other businesses were responsible for nearly
66% of the reported breaches and a near identical proportion of the
records that were exposed last year. In contrast, the medical and
education sectors combined exposed less than 10 million records.

More than six in 10 of the breaches exposed email addresses, and about
57% involved passwords. The proportion of breaches that exposed Social
Security numbers and credit card numbers — the two most valuable
pieces of data for criminals — was somewhat smaller in contrast, at
13.9% and 12.3%, respectively.

Risk Based Security's report shows that hacking by malicious external
actors remained the cause for most data breaches (57.1%), but Web
breaches, such as those resulting from intrusions and data publicly
accessible via search engines, exposed more records (39.3%). Insider
breaches — of the accidental, negligent, and malicious variety —
accounted for about 14% of all breaches last year.

The Breach Disclosure Struggle
One surprise in the data was the scant progress that organizations
appear to be making in closing the gap between breach discovery and
breach disclosure, says Inga Goddijn, executive vice president at Risk
Based Security.

The data shows that government and private institutions took an
average of 49.6 days last year to publicly report a breach after its
initial discovery. That was actually marginally longer than the 48.6
days it took in 2017, suggesting that organizations are struggling to
speed up incident response despite the increased pressure on them to
do so in recent years.

"What we found was, after three years of closing the gap between
discovery and reporting, the average number of days between those two
dates was stagnant in 2018," Goodijn says.

The general anticipation was that mandates such as the European
Union's General Data Protection Regulation would put pressure on
enterprise organizations to improve breach disclosure times.  So it
was surprising to see little movement on that front last year. "It's
hard to say why it is still taking nearly 50 days to disclose a
breach," Goodijn notes. "It could be we have reached a plateau, where
it simply takes two to three weeks to conduct a full investigation and
another two to three weeks to work through preparing and releasing a
notification."

The GDPR also has a clear distinction between disclosing a breach to
authorities and notifying victims about it, Goddijn says. The mandate
requires breach entities to inform data regulators in their
jurisdictions about the incident within 72 hours. But it offers some
discretion around when and even whether an organization needs to
notify those impacted by a breach "So even if an event is swiftly
reported to privacy regulators, it is possible the event will be
publicly disclosed weeks later, if at all," Goddijn says.

Risk Based Security's report does not include "dwell time," or the
duration between when an attacker first breaks into a network and when
the intrusion is first discovered. But it does show that nearly 70% of
organizations that disclosed a data breach in 2018 learned of it from
an external source. In fact, only 680 of the more than 6,500 disclosed
breaches last year were internally discovered.

"If we look at the rate of internal discovery verses external
discovery, we can see that many organizations are still learning of
the incident from external sources, such as law enforcement, fraud
detection, independent researchers, or even their own customers,"
Goddijn notes. "Our assumption is that organizations that are better
able to detect a breach will also be better positioned to respond.
That's something we'll be taking a closer look at in 2019."