Data breaches now seem to be a never-ending story as we constantly hear about one company after another being compromised. The true damage of these breaches lies in how much private or confidential information is exposed. Though the number of reported breaches may have declined last year, the number of breached records skyrocketed, according to a report released Thursday by security firm Risk Based Security (RSB).
SEE: Security Awareness and Training policy (TechRepublic Premium)
Data breaches in 2020
The volume of publicly disclosed data breaches fell by 48% in 2020 compared with the previous year, leading to 3,932 in total. However, the volume of records that were compromised by these breaches jumped by 141% to a whopping 37 billion, the largest number seen by RSB since 2005. Further, reading between the lines reveals even more to the story.
Not all organizations that suffer a data breach disclose it publicly. Some may wait to report it. Plus, other factors can affect the reported numbers.
“We do not believe fewer breaches are happening,” Inga Goddijn, executive VP at Risk Based Security, said in a press release. “Disruptions at certain governmental sources, delayed reporting, and declining news coverage have all contributed to fewer breaches coming to light in 2020, but that is only a part of the story. More complex and damaging attacks have also contributed to lengthy and complex investigations.”
One specific incident shows how the full impact of a breach might not surface for months. Last year, cloud provider Blackbaud was hit by a ransomware attack that it seemingly mitigated before any severe damage occurred. However, the attackers still managed to steal enough data to create problems for many of the firm’s clients several months after the incident.
Another incident shows the lasting and widespread impact of a data breach. Last October, hacking group Shiny Hunters publicly shared a database stolen from food delivery company Home Chef on a hacking forum. In the weeks that followed, the group shared 16 other databases on the forum. All of the databases contained email addresses and some types of passwords or authentication tokens along with names, dates of birth, and home addresses. In the span of just five weeks, more than 129,400,000 sensitive user records had been leaked.
Ransomware also influences how and where data breaches are reported. In 2020, ransomware and data theft together proved to be a volatile combination. The number of confirmed ransomware attacks that resulted in data breaches doubled to 676 last year from 337 in 2019, according to RSB.
“The rise of ransomware coupled with the particularly pernicious practice of leaking data stolen during the attack has been a leading theme of the year,” Goddijn said. “There were few signs that ransomware would explode into a preferred method for monetizing attacks, and while the coverage of breach events has picked up once again, the changing tactics means less information about events is being disclosed.”
A metric that reveals still more about data breaches is severity. Measured on a scale of 0 to 10, breach severity is calculated based on how many records were stolen, how the breach occurred, the type of data exposed, and other factors. The first quarter started were an average severity score of 4.75 and then gradually climbed to hit a score of the 5.71 around the third quarter.
Despite the high number of exposed records and the severity of last year’s data breaches, the problem may not be widespread as it appears. Among all the exposed records analyzed for 2020 by RSB, 30.4 billion, or 82%, came from just five data breaches. All five were caused by misconfigured databases or services, while in two of the largest ones (accounting for 18.2 billion of the exposed records), the data exposed included a variety of log files. In this regard, the stolen records are not likely to be used for malicious purposes, the report said.
With this threat to customer records and other sensitive information, how can organizations better protect themselves against data breaches?
“If there is one fact that our research confirms time and again, it’s that no organization is immune from experiencing a breach event,” said Goddijn. “So while striving for zero data breaches is an admirable goal, it’s likely an unattainable one. Rather, focusing on resiliency and having a well-developed incident response plan can go a long way toward reducing the negative impact of a breach.”
In the event of a breach, how should an organization responsibly report and disclose it?
“Certainly complying with applicable statutes for reporting a breach event should be top of mind whenever personally identifiable information is at risk,” Goddijn said.
“Beyond that, clear, consistent, and factual communications really do go a long way toward maintaining relationships,” Goddijn added. “Impacted persons and business partners want to understand what took place, what types of information has been exposed, and what it means for them. Typically, that includes sharing regular updates as information becomes available and centralizing communications so there is one clear ‘source of truth’ about the event.”