On August 15, 2019, Risk Based Security released its 2019 MidYear QuickView Data Breach Report, and it doesn’t look promising for 2019. Listed as one of the 10 fastest-growing security companies by The Silicon Review, the Richmond, Va., group specializes in vulnerability intelligence and breach and risk ratings.
Its midyear report covers the data breaches captured during the first six months of 2019 as of July. The title of the press release announcing the report reveals a rather pessimistic outlook: “2019 on Track for Another ‘Worst Year on Record.’”
Among the key findings, the two essential numbers in the report were how many breaches there were and what sort of increase that represents. See Figure 1.
“3,813 breaches were reported through June 30, exposing over 4.1 billion records” answers the first question, and how that compares to last year is revealed with the second finding: “Compared to midyear of 2018, the number of reported breaches was up 54%, and the number of exposed records was up 52%.” That’s 21 breaches a day, every day. It prompted this comment from Executive Vice President Inga Goddijn, “The number of breaches is up, and the number of records exposed remains stubbornly high. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate.”
Another disturbing number shows eight specific first-half breaches that exposed more than 100 million records each. The totals for just those eight accounted for 3.2 billion records. In an end-note section, the report includes a 10 largest breaches of all time list, and that table now contains three breaches reported in 2019, including intrusions at Verifications.io, First American Financial Corporation, and Cultura Colectiva.
According to the report, the most prized targets for hackers are email addresses and passwords, “with email addresses exposed in approximately 70% of reported breaches and passwords exposed in approximately 64% of reported breaches.” Other significant identifying data points exposed include: name (23%); address (11%); Social Security number (11%); credit card number (11%); and date of birth (8%).
One of the numbers that has remained stable is the source of the attacks. According to Risk Based Security, “The vast majority of incidents are attributable to malicious actors outside of the organization (89%), yet more and more sensitive data is exposed when insiders fail to properly handle or secure the information.” The report shows 8% of breaches are from inside, and 58% of that type are described as “accidental,” with 12% deemed “malicious.”
Of the sectors reporting most successful hits and damage, the report points to the business sector as No. 1. “The key findings include that the Business sector accounted for 67% of reported breaches, which continues the trend observed in the Q1 2019 report. From these breaches, further analysis reveals that the Business sector was responsible for 84.6% of records exposed.” A table of the various sectors affected by intrusions shows a wide range from construction to healthcare, mining to retail. See Figure 3.
At the rate of 21 breaches per day, there’s apparently no posted speed limit as we continue to accelerate toward a likely 50%+ increase again for this year. Most of the attacks come from outside, and analysts warn, “The interest in user credentials is the key. Troves of usernames and password combinations continue to become available on forums and file sharing sites while phishing for access credentials has surged in recent months, proving once again that tried and true social engineering techniques still produce results for attackers.”