Over 4.5 billion data records were breached in the first half of this year, according to a report from Gemalto’s Breach Level Index released this week. That’s the highest number of breaches ever in a single six-month time period, but a deeper dive reveals an even more worrying trend.
Gemalto, which sells authentication and data storage products, produces an analysis every six months of the reported breaches from each period. This total number of breached records in this year’s first half (1H) report equated 291 breached records every second, on average.
Records-per-breach is growing
The general rise in the volume of lost records is alarming enough (1H 2018’s figure is up 1,751% on 1H 2015), but what’s really scary is the average number of records per data breach incident. It’s growing quickly.
2015: 245.9m records across 999 incidents. That’s 276,936 records per incident.
2016: 554.5m records across 974 incidents. That’s 569,255 records per incident.
2017: 2.6bn records across 1765 incidents. That’s 1.47m records per incident.
2018: 4.5bn records across 945 breaches. That’s 4.8m records per incident.
The distribution of these compromised records on a per-breach basis isn’t equal, of course. There were some absolute whoppers in early 2018.
Gemalto has a risk scoring system for breached companies, with 9 or 10 rated ‘catastrophic’. There were four breaches in this category in 1H 2018: Facebook, Aadhaar, Exactis, and Under Armour.
Facebook’s social media scraping breach, in which most of its 2.2bn users could have had their personal information scraped, scored a 10, as did Aadhaar, India’s government-backed citizen ID system. It saw its 1.2bn citizens’ records accessible via an anonymous service that would give it access to information including their name, address, photo, phone number and email address.
Under Armour fell victim to a malicious hacker and lost up to 150m accounts. In this and the other breaches, malicious outsiders were to blame. No wonder, then, that malicious outsiders topped the list of breach sources, accounting for 56% of reported incidents and four in five breached records. It knocked accidental loss from the top spot as a source of data breaches, accounting for 34% of losses and just one in five (19%) of affected records.
Accidental loss was responsible for the other catastrophic-level breach in 1H 2018, though. Floridian data broker Exactis left 340m records about US citizens and businesses on an Amazon S3 server. Every record had information on over 400 variables, including whether they have pets, what their religion is and whether they smoked.
The sheer volume of breached records in some of the more significant incidents can skew results dramatically between time periods. For example, the reason that accidental loss held the top spot last year was because a handful of firms didn’t configure their software correctly and exposed unencrypted records online.
The number of accidental loss incidents was small that year, accounting for just 18% of incidents, but the companies that fouled up exposed billions of records online (72% of the 1H 2017 total) between them. All it takes is a few poorly-prepared sysadmins or developers to change the breach landscape.
River City’s 1H 2017 breach single-handedly pushed ‘nuisance’ breaches to the top spot by data breach type that year, with more than 1.5 billion compromised records, but that type of breach accounted for less than 1% of breached records (1.69 million) this time around.
A few breach incidents can also change the performance of entire vertical sectors. On a per-sector basis, social media topped the list at 2.6 billion records (56%) in 1H 2015, thanks mostly to Facebook’s scraping SNAFU. This was followed by government, with 27% of the lost records.
When it comes to the number of breach incidents, though, healthcare is a perennial winner. H1 2018 was no exception, with 256 incidents in the healthcare industry, far outpacing all others. This was interesting, as the number of breached records in the healthcare sector accounted for less than 1% of the total, indicating that in H1 2018 the number of records per breach in the healthcare sector was relatively low.
Walk back to 1H 2015 though, when health insurer Anthem lost nearly 80m customer records, and healthcare accounted for 34% of the total records breached, hitting the top spot.
What does this tell us, besides the fact that a lot of records are being compromised? It tells us that breaches are getting bigger, which means whichever handful of companies get hit by mega-breaches in any given period will sway the results.
Any large company with sensitive data – meaning all of them – are fair game for cybercriminals, and no one should rest easy. The era of the mega-breach is well and truly upon us.