2019 is on pace to be the worst year ever for data breaches. If things continue at the same pace 8.2 billion records will be exposed by the end of 2019. The threat intelligence firm Risk Based Security reports that during the first half of 2019 over 4.19 billion records were exposed in 3,813 reported breaches between January and July 2019.
Those numbers work out to more than 20 data breaches a day. Eight mega-breaches that exposed more than 100 million records were reported. These web-based breaches were primarily the result of leaving databases accessible to third parties and failing to protect them. Forbes reports that these misconfigured databases and services accounted for 149 of the 3,813 incidents reported this year. According to Forbes, the mega-breaches exposed over 3.2 billion records and accounting for 78.6% of the total records exposed in the first half of 2019.
Largest data breaches
The 10 largest data breaches for the first half of 2019 are:
- Verifications.io (982 million),
- First American Financial (885 million),
- Cultura Colectiva (540 million),
- unknown organization in India (275 million),
- unknown organization in China (202 million),
- Dubsmash (161 million),
- Canva (138 million),
- Justdial (100 million),
- Mobile Drip (80 million), and
- Unknown U.S. firm (80 million).
The Verifications.io, First American Financial, and Cultura Colectiva breaches are ranked among the top 10 breaches of all time based on the number of records exposed.
Consumer Affairs says the Verifications.io, an email marketing company whose misconfigured database exposed 982,864,972 names, addresses, and Facebook, LinkedIn, and Instagram accounts. The information associated with the breach includes email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, and personal mortgage amounts. As a result of the incident, Verifications.io has ceased operations.
If you’ve bought a house, particularly in California, another breach may impact you. First American Financial Corporation exposed 885,000,000 records. Consumer Affairs writes that exposed data included real estate closing transaction records that contained names, Social Security numbers, phone numbers, email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers.
Other interesting data breach infobits
- The number of breaches also reached a new high during the first half of 2019.
- The average number of records lost per leak was just 230.
- The majority of breaches had a moderate to low severity score and exposed 10,000 records or less.
Thankfully RBS says more critical data was less commonly stolen during attacks.
Social Security numbers were stolen in 11% of attacks,- Addresses were stolen in 11% of attacks,
- Account numbers were stolen in 10% of attacks,
- Birth dates were stolen in 6% of attacks,
The sectors impacted
- Healthcare 224 breaches,
- Retail 199 breaches,
- Finance and insurance 183 breaches,
- Government and information 160 breaches each, and
- Education 99 breaches..
Inga Goddijn, executive vice-president at Risk Based Security told ComputerWeekly.com,
It is hard to be optimistic about the outlook for the year … The number of breaches is up and the number of records exposed remains stubbornly high. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate.
Phishing
Phishing is a tried and tested first step for gaining access to systems and services, the report said. The phished data can be used to perpetuate attach. The most frequently stolen data are email addresses and passwords. These credentials are valuable to attackers because they can be used across multiple domains (because we know users don’t use unique IDs for each account) for credential stuffing. These credentials can also be changed by the attacker (or the Owner). The report points out that 70% of the known breaches included email addresses and 65% included passwords.
Phishing can also lead to other critical but less monetized data. The report said phishing can lead to the exposure of unusual or unexpected types of data, including electronic signatures, calendars, marriage certificates, and company-issued employee ID numbers, all valuable for social engineering or spear-phishing attacks.
rb-
Businesses need to get their security act together – they were responsible for over 2/3’s of the breaches by RBS. The garden variety cyber-criminal is a script-kiddie who will run automated scripts looking for unsecured databases in order to scrape up any data they can. The big breaches make the headlines, but the everyday incidents make the money for most attackers.
Related Posts
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.