By Jason Hart
Since 2013, Gemalto’s Breach Level Index (BLI) has been used to track data breaches and measure their severity based on multiple dimensions, including number of records compromised, types of data, breach sources, how data was used and whether it was encrypted. The findings are released annually and each year seems to have unique trends. For instance, 2015 attacks focused on well-known consumer websites and shed light on the need for stronger security as the Internet of Things began to take off.
2016 was no exception.
The year saw more than a billion data records lost or stolen. Distributed denial of service (DDoS) attacks continued to garner attention on the corporate security front. Yet, 2016 will long be remembered as the year “things got personal.” The period was highlighted by ransomware attacks moving into the mainstream, as well as extortion threats aimed at individuals over exposure of particularly sensitive information.
A number of companies, including healthcare providers, utilities and others, proved quite willing to pay ransoms in order to avoid losing data or having systems shut down, a clear sign this type of attack is having an impact on businesses. However, most concerning for individuals was a major increase in breaches aimed at stealing personal data on Web sites many might be embarrassed to admit using, a problem for operators of these entities as well.
The top scoring BLI breach involved Adult Friend Finder. The adult-oriented social network and online dating service was hit with an account access data breach exposing more than 400 million records. The event scored a maximum 10 on the BLI scale, with stolen data reportedly including customer e-mail addresses, IP addresses last used to log-in to the site and passwords. Taking third was Fling.com; the adult-orientated Web site and social network experienced an identity theft breach of 40 million records, earning it a BLI score of 9.8. According to the International Business Times, the passwords and sexual preferences of users were put up for sale on the dark web.
By targeting these types of databases, cyber criminals can extort victims into paying fees to avoid public embarrassment. They can go after operators as well; while breaches can have an adverse impact on any business, sites dealing in such areas can be particularly devastated. These kinds of attacks are making data breaches more personal than security incidents of the past, which typically involved ransom against companies or theft of financial data and not exposing users to public scrutiny.
A further twist in 2016 is that cyber criminals are using encryption maliciously by extorting breached organizations and/or their customer by holding data ransom by making it unreadable.
2016 was further notable for the scale of records, lost, stolen or compromised during data breaches; much larger than in previous years. The takeaway is hackers are now casting a wider net whenever they launch an attack against a given target.
According to the BLI, hackers and other attackers launched 1,792 data breaches worldwide in 2016. While the number of breaches was down 4 percent, almost 1.4 billion data records were lost or stolen compared with 740 million in 2015, representing an increase of 86 percent. Further, consider that 936 out of these 1,792 breaches had an unknown amount of records involved because the information was not publicly available. This is noteworthy as it represents the difficulty of knowing exactly how many people’s records have been affected.
According to the BLI, identity theft was once again the most common type of attack in 2016, the third straight year that has been the case. Identity theft was used for 1,050 data breaches, well over half of all incidents and accounting for 58.6 percent of the total.
The next biggest source of data breaches in 2016 was accidental loss, although the number of these incidents dropped from the year prior. Some 333 data breaches (18.6 percent) were caused by accidents in 2016, compared with 437 (23.4 percent) in 2015. While that’s down 23.8 percent, the number of records involved in such breaches increased 9.4%, from 2.65 million in 2015 to 2.90 million.
The following are a few other interesting data tidbits from Gemalto’s BLI:
- Amongst industry sectors, healthcare was easily the hardest hit with breaches.
- In terms of geography, the United States and North America had by far the largest numbers of disclosed breaches during the year.
- Despite state-sponsored security attacks getting attention in recent months, these types of breaches were down in 2016. State-sponsored hackers launched 22 data breaches in 2016, compared with 36 breaches in 2015, for a decrease of 38.9 percent. These were actually exceeded hacktivists, who were responsible for 47 breaches in 2016.
Learn more about the NHS ransomware attack
If you are interested in receiving a copy of this report, please let us know.
About Jason Hart
As a former ethical hacker with decades of experience in the information security industry, Jason Hart has used his knowledge and expertise to create technologies that ensure organizations stay one step ahead of the risks presented by ongoing advances of cyberthreats.