2013 may be remembered as the “year of the retailer breach”. This statement was reported in the last Verizon Data Breach Investigation Report 2014, and reminds us that last year was considered by security experts as one of the worst years due the impressive number of data breaches that occurred and their effects on enterprises, SMBs and government entities.
Also, Symantec Corporation reported in his Internet Security Threat Report 2014 that the number of mega breaches, defined as incidents that caused the exposure of at least 10 million identities, was eight in 2013, compared with only one in 2012. The document also reported that the top ten types of information breached is led by real names, followed by birth dates and government ID n umbers.
Figure – Major Data Breaches in 2014 (Internet Security Threat Report 2014)
Retail was the most targeted industry, as the number of victims reached in the hundred millions of cardholders. As explained by experts at Verizon security firms, during the last year offensives mutated from geopolitical attacks to large-scale attacks on payment card systems.
Risk Based Security and the Open Security Foundation have recently issued this study based on data related to 2,164 data loss incidents reported in 2013, evidencing the principal causes and the contexts in which they are accrued. The number of data loss incidents observed in 2013 has increased in a significant way; it is three times bigger than the number of data breaches in the previous year.
During the 2,164 incidents, nearly 822 million records were exposed, and in the majority of the cases (72%) the data breaches involved outside attackers, meanwhile insiders are responsible only for 25% of the incidents, mainly caused by accidents and human error. The Risk Based Security study reports that the business sector accounted for 53.4% of reported incidents, followed by Government (19.3%), Medical (11.5%), and Education (8.2%). 45.5% of the data breaches hit entities based in the US.
The analysis of the geographic distribution of data breaches reveals that the US and South Korea account for 83.6% of records. The second place occupied by the Asian country is attributable to the exposure of 140 million email addresses and identification numbers. Security experts are confident that the records were compromised by North Korean cyber units that make constant pressure against South Korea government and national businesses.
Figure – Exposed Records Ranking (Risk Based Security and Open Security Foundation Report)
As reported by the study, despite that the number of incidents has decreased in the last five years, the number of exposed records has reached its maximum, three times the number of records of the last year. US organizations accounted for 66.5% of the compromised records. The US internal ranking is led by the state of California, which accounted for 370 million records exposed.
Figure – Historical incident data (Risk Based Security and Open Security Foundation Report)
Four 2013 incidents have secured a place on the Top 10 All Time Breach List. The greatest data breach of all time was happening last year, when servers at Adobe Systems were compromised in a serious attack in March. The attackers disclosed 152 million records, including customer names, IDs, encrypted passwords and debit/credit card numbers with expiration dates, source code, and other information relating to customer orders.
According to data proposed in the report, the principal cause for data breaches and incidents observed last year was hacking (59.8%), which accounted for 72.0% of exposed records. Just 4.8% of the reported incidents were the result of Web-related attacks, which accounted for 16.9% of exposed records.
Figure – Analysis of breach type/records (Risk Based Security and Open Security Foundation Report)
The data presented in the above table are essentially aligned with results provided by other security firms like Verizon. Hacking is recognized as the principal cause for data exposure. The number of data breaches resulting from cyber attacks of this type is in constant increase, as shown in the following graph.
Figure – Number of breaches per threat action (Verizon’s 2014 Data Breach Investigations Report)
Also the Symantec Security Threat Report 2014 confirms that hacking was once again the primary cause of data breaches in 2013. Hacking activities can result in undermining institutional confidence in a company, as it could cause the exposure of personal and sensitive data, exposing an organization’s reputation to serious repercussions. According to Symantec, hacking accounted for 34 percent of data breaches in 2013, followed by the accidental disclosure of data at 29 percent, and Theft or Loss of Computer or device accounted for 27 percent of data breaches.
The Symantec study also confirmed that the overall average size of a breach in increased in important ways. The median number of identities stolen has actually fallen from 8,350 in 2012 to 6,777 in 2013.
“Using the median can be helpful in this scenario since it ignores the extreme values caused by the notable, but rare events that resulted in the largest numbers of identities being exposed.”
Symantec registered 253 data breaches, resulting in a total of 552,018,539 identities exposed, with an average number of identities exposed per incident of 2,181,891, compared with increments of 361 percent in respect to 2012.
Figure – Data Breach Statistics 2013 (Internet Security Threat Report 2014)
Despite the prevalence and severity of the outside threat, inside threat is considered one of the most significant risks to the overall security of any organization.
We must distinguish the accidental release of information from intentional data leakage. The first group is almost twice the second one. The analysis of 3,515 insider incidents revealed that malicious activity accounted for only 30.2% of all incidents. The study reports that just 18.9% of the total exposed records are the result of insider activity. Fraud/Social Engineering is the principal methods of attack related to insiders.
A review of insider breaches reveals that an accidental release of information occurs almost twice as often as an intended data compromise [9.4% Malicious vs. 17.1% Accidental]. The majority of insider incidents (63.6%) is related to activities such as errant website postings, careless equipment disposal or poor equipment management.
Figure – Inside Accidental Incidents (Risk Based Security and Open Security Foundation Report)
Recently, Verizon issued its annual report titled Verizon’s 2014 Data Breach Investigations Report (DBIR). The study analyzed the principal incidents and data breaches that occurred in 2013, trying to identify the principal pattern covering the bad actors, the techniques adopted by attackers, the targets hit, timelines of the attacks and a series of recommendations to mitigate the cyber threat.
The data presented by Verizon in the 2014 Data Breach Investigations Report (DBIR) were collected with the contribution of 50 global companies. It is based on 1,367 confirmed data breaches and 63,437 security incidents in 95 countries.
The experts at Verizon discovered that the majority of incidents could be categorized into the following nine principal patterns:
- POS Intrusions
- Web App Attacks
- Insider Misuse
- Physical Theft/Loss
- Miscellaneous Errors
- Card Skimmers
- DoS Attacks
- Cyber Espionage
The study also analyzed the incidence of the adverse events on the different industries.
Figure – Data Breach Patterns (Verizon’s 2014 Data Breach Investigations Report)
According to data collected by Verizon for its annual analysis experts, 2013 was mainly characterized by a great number of incidents which involved payment systems. 2013 may be remembered as the “year of the retailer breach”. During the last year, offensives mutated from geopolitical attacks to large-scale attacks on payment card systems. Examining the attacks occurred last year, it is possible to note that principal attackers’ motivations were:
As shown in the graph below, despite that financially motivated attacks represent the majority of the overall offensives, their number is slowly decreasing in favor of the increase the cyber espionage operation. Personally, I believe that this is just a temporary deflection. Financial attacks will continue to dominate the threat landscape, considering that they represent almost the totality of attacks conducted by the prolific cybercrime ecosystem.
Figure – Data Breach Motivations (Verizon’s 2014 Data Breach Investigations Report)
The industries that most of all were victims of cyber espionage attacks from foreign countries are utilities, manufacturing, and mining.
Typical cyber espionage is linked to state-sponsored hackers which were able to gain unauthorized access to networks or systems of private companies and foreign government organizations. According to Verizon, the total number of incidents related to cyber espionage is 511. 306 confirmed data disclosure.
“Key findings Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it tripled last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors,” reports the Verizon study.
Cyber espionage is probably the most insidious cyber threat, as it operates on a long term horizon. Typically attackers try to obtain persistent access to targeted systems for a long time. In many cases, they succeed and attacks go uncovered for months, in many cases for years.
It’s my opinion that data presented by Verizon are just the tip of the iceberg. Many organizations totally ignore having been victims of cyber espionage operations. It is a dangerous and wrong attitude to avoid disclosing data breaches to protect an entity’s reputation. This wrong practice gives an advantage the attackers, who in many cases will re-use the information gathered for further cyber attacks.
The country that most of all suffered data breaches and incidents caused by cyber espionage operations is the USA, followed by far by South Korea and Japan. The bad actors behind the attacks are mainly state-sponsored actors and cyber criminals. This last category mainly involved mercenary-style operations conducted to steal intellectual properties, source code, or digital certificates contracted by a rival organization or other interested party.
Figure – Cyber Espionage (Verizon’s 2014 Data Breach Investigations Report)
In the below table are reported for each industry the percentage of incidents related to the various attack category. For example, in the Accommodation industry, 75% of attacks are related to POS Intrusion. Analyzing the data related to principal threats, it is possible to note that crimeware mainly hit Construction and Information and Utilities, while Denial of Service attacks mainly targeted industries like Management, Entertainment, Retail and Professional.
As anticipated, the pressure used by attackers with POS-Intrusion on Accomodation and Retail industries is impressive.
Figure – Cyber Threat x Industry (Verizon’s 2014 Data Breach Investigations Report)
Analyzing the effects of Web attacks, the Verizon data breach reports that the primary causes are the exploitation of weaknesses in the application and the exploitation of stolen credentials to impersonate a valid user. Web attacks are very diffused by Information. Utilities and Trade are the industries that most of all suffer from this kind of offensive.
A significant number of attacks targeted popular content management systems (e.g., Joomla!, WordPress, or Drupal) to gain control of servers for use in DDoS campaigns. Security experts at Verizon recommended the following controls to mitigate the threats:
Don’t use single-factor password authentication for anything that faces the Internet;
Set up automatic patches for any content management system such as Drupal and WordPress;
Fix vulnerabilities right away before the bad guys find them;
Enforce lockout policies;
Monitor outbound connections.
The Economic Impact of Data Breaches
Recently, The Ponemon Institute has issued its ninth annual report “Cost of Data Breach Study“, an interesting study on the economic impact of data breaches. The study, sponsored by IBM, shows an increase of the average data breach cost per victim: it is about $145 per compromised record, with an increment of 9 percent in respect to the previous year.
The average cost of a data breach for companies has increased by about 15% in respect to 2012, reaching $3.5 million.
The root causes of data breach globally are malicious or criminal attacks, at nearly 42%. Followng that, 30% of data breaches are related to the operation of negligent employees or contractors (human factor), and 29% involved system glitches (IT and business process failures).
Figure – Root causes of Data breaches (Ponemon Cost of Data Breach Study)
The study shows that countries in the Middle East and Germany suffered more incidents caused by malicious or criminal attacks. Data breaches in India were characterized by a system glitch or business process failure, while human error is the primary problem for Brazilian and British environments.
“Malicious attacks are more costly globally. Figure 6 reports the per capita cost of data breach for three root causes of the breach incident on a consolidated basis. These results show data breaches due to malicious or criminal attacks cost companies increased from an average of $157 in last year’s study to $159. This is significantly above the consolidated mean of $145 per compromised record and the per capita cost for breaches caused by system glitch and human factors ($126 and $117, respectively). Last year, system glitches averaged $122 and human error stayed the same at $117,” states the report.
The greatest threats to the organization are malicious code and sustained probes. The Ponemon Cost of Data Breach Study report states that companies suffered an average of 17 malicious codes each month and 12 sustained probes each month.
According to the Ponemon Cost of Data Breach Study, German and US entities experienced the higher costs at $195 and $201, respectively. Both countries paid the highest value per compromised record for data breaches caused by malicious and criminal attacks: nearly $246 and $215 per record.
Figure – Average per capita cost of data breaches (Ponemon Cost of Data Breach Study)
The costs of data breaches are very different for each sector. Heavily regulated industries such as healthcare, pharmaceutical and financial services had the highest per capita data breach cost ($145).
The analysis conducted by the Ponemon Institute identified the eight factors which had a major influence on the per capita cost of a data breach. The study confirms that a strong security posture helps organizations to reduce the cost of a data breach ($14 per record). Lost or stolen devices, third party involvement in the incident, quick notification and engagement of consultants increases the per capita cost of data breach. For example, if the data breach involved lost or stolen devices, the cost per record could increase to $161.10 ($145 + $16.10).
Figure – Eight factors on the per capita cost of data breaches (Ponemon Cost of Data Breach Study)
Data breaches have major consequences for both the corporations and consumers; companies in particular can face severe repercussions on their business. The principal effect is the financial loss caused by the data breach, and reputational damages are another serious consequence of these incidents. Major data breaches usually are subject to extensive media coverage, and in some cases the victim organizations could be subject to a class action lawsuit filed by its clients.
Additionally, customers could lose trust in the company, choosing to change service providers that in some cases could also be a direct competitor. Further expenses related to a data breach cover detection, escalation, notification and incident response.
But private enterprises aren’t unique victims of data breaches. Final customers are also seriously impacted by these incidents; clients in fact are probably most exposed to the cybercrime, which can use the victim’s personal details for fraudulent activities (e.g. Spear phishing attack, banking frauds, social engineering, debit/credit frauds).
Increasing the serious consequence of data breaches is the user’s bad habit to share the same credentials over different accounts and web services.
As highlighted by Symantec, medical identity theft could have a huge impact on the final consumer, under financial perspective and privacy, causing legal problems.
“Attackers can use health insurance information, personal details, and social security numbers to make false claims on their victims’ health insurance. They could take advantage of this data to get free medical treatment at the victims’ cost, or even to obtain addictive prescription drugs for themselves or to sell to others. According to our data, the healthcare sector contained the largest number of disclosing data breaches in 2013 at 37 percent of those disclosed,” states the last Security Threat Report 2014.
As demonstrated by the results proposed in post analyses, data breaches mainly resulted in targeted attacks against entities of specific industries. In these cases, attackers were mainly financial motivated, but the number of offensives with the purpose of gathering sensitive information or to steal intellectual property is increasing.
Private companies and government entities need to improve their cyber strategies to prevent these kind of incidents. Unfortunately, security is still perceived as a supplementary cost to reduce; the budget to execute an organization’s security strategy and mission is usually far less than what it is needed.
It is necessary to make a radical change, otherwise the next report will continue to show concerning scenarios.