[BreachExchange] 2020 sees huge increase in records exposed in data breaches

[Destry Winant]

https://www.techrepublic.com/article/2020-sees-huge-increase-in-records-exposed-in-data-breaches/

Data breaches now seem to be a never-ending story as we constantly
hear about one company after another being compromised. The true
damage of these breaches lies in how much private or confidential
information is exposed. Though the number of reported breaches may
have declined last year, the number of breached records skyrocketed,
according to a report released Thursday by security firm Risk Based
Security (RSB).

Data breaches in 2020

The volume of publicly disclosed data breaches fell by 48% in 2020
compared with the previous year, leading to 3,932 in total. However,
the volume of records that were compromised by these breaches jumped
by 141% to a whopping 37 billion, the largest number seen by RBS since
2005. Further, reading between the lines reveals even more to the
story.

Not all organizations that suffer a data breach disclose it publicly.
Some may wait to report it. Plus, other factors can affect the
reported numbers.

"We do not believe fewer breaches are happening," Inga Goddijn,
executive VP at Risk Based Security, said in a press release.
"Disruptions at certain governmental sources, delayed reporting, and
declining news coverage have all contributed to fewer breaches coming
to light in 2020, but that is only a part of the story. More complex
and damaging attacks have also contributed to lengthy and complex
investigations."

Image: Risk Based Security

One specific incident shows how the full impact of a breach might not
surface for months. Last year, cloud provider Blackbaud was hit by a
ransomware attack that it seemingly mitigated before any severe damage
occurred. However, the attackers still managed to steal enough data to
create problems for many of the firm's clients several months after
the incident.

Another incident shows the lasting and widespread impact of a data
breach. Last October, hacking group Shiny Hunters publicly shared a
database stolen from food delivery company Home Chef on a hacking
forum. In the weeks that followed, the group shared 16 other databases
on the forum. All of the databases contained email addresses and some
types of passwords or authentication tokens along with names, dates of
birth, and home addresses. In the span of just five weeks, more than
129,400,000 sensitive user records had been leaked.

Ransomware also influences how and where data breaches are reported.
In 2020, ransomware and data theft together proved to be a volatile
combination. The number of confirmed ransomware attacks that resulted
in data breaches doubled to 676 last year from 337 in 2019, according
to RSB.

"The rise of ransomware coupled with the particularly pernicious
practice of leaking data stolen during the attack has been a leading
theme of the year," Goddijn said. "There were few signs that
ransomware would explode into a preferred method for monetizing
attacks, and while the coverage of breach events has picked up once
again, the changing tactics means less information about events is
being disclosed."

A metric that reveals still more about data breaches is severity.
Measured on a scale of 0 to 10, breach severity is calculated based on
how many records were stolen, how the breach occurred, the type of
data exposed, and other factors. The first quarter started were an
average severity score of 4.75 and then gradually climbed to hit a
score of the 5.71 around the third quarter.

Despite the high number of exposed records and the severity of last
year's data breaches, the problem may not be widespread as it appears.
Among all the exposed records analyzed for 2020 by RSB, 30.4 billion,
or 82%, came from just five data breaches. All five were caused by
misconfigured databases or services, while in two of the largest ones
(accounting for 18.2 billion of the exposed records), the data exposed
included a variety of log files. In this regard, the stolen records
are not likely to be used for malicious purposes, the report said.

Recommendations

With this threat to customer records and other sensitive information,
how can organizations better protect themselves against data breaches?

"If there is one fact that our research confirms time and again, it's
that no organization is immune from experiencing a breach event," said
Goddijn. "So while striving for zero data breaches is an admirable
goal, it's likely an unattainable one. Rather, focusing on resiliency
and having a well-developed incident response plan can go a long way
toward reducing the negative impact of a breach."

In the event of a breach, how should an organization responsibly
report and disclose it?

"Certainly complying with applicable statutes for reporting a breach
event should be top of mind whenever personally identifiable
information is at risk," Goddijn said.

"Beyond that, clear, consistent, and factual communications really do
go a long way toward maintaining relationships," Goddijn added.
"Impacted persons and business partners want to understand what took
place, what types of information has been exposed, and what it means
for them. Typically, that includes sharing regular updates as
information becomes available and centralizing communications so there
is one clear 'source of truth' about the event."