[BreachExchange] From 4, 000 to 40, 000 Data Breaches: People are Still the Problem

Destry Winant destry at riskbasedsecurity.com
Mon May 6 10:10:51 EDT 2019


https://www.riskbasedsecurity.com/2019/05/from-4000-to-40000-data-breaches-people-are-still-the-problem/

On May 2, 2019, we hit a data breach milestone. The Cyber Risk Analytics
research team added the 40,000th breach entry to our ever expanding data
breach database. Coming hot on the heels of the 200,000th vulnerability
added to VulnDB, it can be tempting to think much of the breach activity
taking place over the years has been the result of the endless onslaught of
software weaknesses. After all, it doesn’t take much digging to find high
profile breach examples attributed to unpatched vulnerabilities (we’re
looking at you, Equifax).

“If we look back through the history of how we got to 40,000 breaches, we
can see what a truly difficult task it is to keep sensitive data secure, ”
commented Inga Goddijn, EVP for Risk Based Security and head of Cyber Risk
Analytics. “Yes, attack methods change over time and patching is more
challenging than ever, but breaches can come from anywhere there is data.”

Comparing the 4,000th entry to the 40,000th highlights the point. Back in
August of 2007, an employee of Spotsylvania County, Virginia was working in
the conference room of a public building. She stepped away for a moment and
upon her return, found the laptop she was working on was gone. Typical of
the times, 3,000 sensitive records containing the personal information of
fellow employees, as well as details from business licenses and property
tax bills, were held directly on the machine. The laptop was password
protected, but no encryption was applied.

“Stolen laptops were the number one breach type back in 2007, accounting
for 22.1% of all reported breaches while exposing 2.9% of records that
year,” noted Ms. Goddijn. Fast forward to 2018, and the problem of
sensitive data stored on unsecured laptops has been largely addressed.
There were still 51 such events in 2018, but those accounted for fewer than
1% of breaches reported. Only 253,374 records were exposed by stolen
laptops last year, barely registering in the context of the 5.1 billion
total records compromised.

But let’s not celebrate prematurely. Unfortunately, the problem of
sensitive data on unprotected equipment has been replaced by that of
sensitive data unprotected in the cloud.

The incident at Ladders, Inc became our 40,000 entry, and in many ways it’s
just as typical for 2019 as the Spotsylvania County incident was for 2007.
On May 1st, it was reported that an open, unprotected Elasticsearch
database was left exposed on the Internet. The AWS-hosted database
contained a years’ worth of user profile data and recruiters’ information.
In all, upwards of 13,700,000 records were exposed in the incident.

Moving sizable databases to the cloud has come with configuration concerns
that simply were not a problem in 2007. As a result, inadvertent exposure
of data on the web accounted for 4.1% of breaches reported in 2018,
exposing a whopping 1.9 billion (or 39.1%) records.

“Unsecured databases have become the stolen laptops of the time,” Ms
Goddijn commented. “We may have conquered the equipment problem, but we are
still seeing a multitude of preventable breaches; that is to say the means
for avoiding the data loss in the first place is largely within the
organization’s control.”

All of the latest breach trends can be found in the soon-to-be-published Q1
2019 Data Breach QuickView Report. Check back here on May 7th, when the
report becomes publicly available. In the interim, all the findings from
2018 are still available in our 2018 Year End Report (LINK
<https://www.riskbasedsecurity.com/2019/02/over-6500-data-breaches-and-more-than-5-billion-records-exposed-in-2018/>
).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190506/8c48aaea/attachment.html>


More information about the BreachExchange mailing list