2014 Data Breaches – A Billion Exposed Records – A New All Time High

Risk Based Security has released its 2014 Year-End Data Breach QuickView Report highlighting the data breach trends over the past twelve months. 2014 added five incidents to the “Top 10 All Time Largest Incidents” list. The details are not pretty.

The past year will stand out for a number of reasons and unfortunately, few of them are good. A record-breaking 1.1 billion personal and sensitive records were compromised in 2014 across 3,014 incidents. Compared to 2013, that is a 22.3% increase in the number of records lost and a 28.5% increase in the number of data breaches disclosed. What’s more, it is clear from our analysis that malicious actors are winning the security battle, with hacking and fraudulent activity accounting for a staggering 97.6% of the records lost.

“Although many security experts will point to Sony as the “Hack” of the year, we can’t lose sight of the other 3,013 incidents occurring in 2014”, said Barry Kouns, Risk Based Security’s CEO. “We must recognize that incidents are being reported on an average of eight per day, and we need to find a way to turn the tide.” added Kouns.

Year-end analysis shows the trend of targeting user credentials continues unabated and it is understandable as to why. No matter how sophisticated the attack might be, gaining access to the system is a key first step. Analysis of 2014 events shows passwords, user names and email addresses remain the most targeted data types. A closer examination of the incidents involving login credentials reveals lower profile websites and services are often targeted for this type of data theft. Malicious actors understand human nature and the tendency to reuse and recycle passwords. By collecting hundreds of user credentials from different sources, those same credentials may be valid for opening the doors to a much larger target.

“Even though most organizations can’t identify with the high-profile, large breaches that gain the most publicity, 72.5% of 2014’s incidents exposed between one and ten thousand records,” said Kouns. “Those numbers we can identify with and this year’s incidents highlight just how vulnerable most organizations are to a data breach.”

2014 is also notable for the size and audacity of the incidents taking place. The year began with 110 million credit card numbers with expiration dates being compromised in South Korea due to insider fraud. Four other events this year made the top 10 list for the largest incidents of all time, including the 220 million records exposed in a second incident in South Korea. While the volume of compromised data is astounding, the numbers do not include perhaps the most infamous breach of 2014, the events at Sony. While the total number of records lost in that breach has not yet been determined, the event has clearly made an impact far beyond that of any other large incident. The unprecedented release of sensitive internal documents and intellectual property may ultimately prove to be more damaging than whatever the final record count may reflect. The Sony breach has also ushered in a renewed national focus on cyber security. New breach notification and other cyber legislation is currently making its way through Congress and just this month the White House announced the formation of an agency dedicated to gathering and detecting cyber threat intelligence. The success of these initiatives remains to be seen but it is clear the impact of 2014 will continue to be felt throughout the coming months and maybe years.

About the Data Breach QuickView Report

The Data Breach QuickView report is intended to be an executive level summary of the key findings from RBS’ analysis of 2014’s data breach incidents. Contact Risk Based Security for your customized analysis of the 2014 data breaches.

You can view the 2014 Data Breach QuickView report here:


About Risk Based Security, Inc.

Risk Based Security is a leading-edge security and threat intelligence company. We provide the most timely, highest quality and most fully comprehensive vulnerability and data breach intelligence services available. Data intelligence is the basis for our consulting and information security services including ISO/IEC 27001SDL and our virtual YourCISO service.

For more information, please contact us via email or call 855-RBS-RISK.