From 4,000 to 40,000 Data Breaches: People are Still the Problem

On May 2, 2019, we hit a data breach milestone. The Cyber Risk Analytics research team added the 40,000th breach entry to our ever expanding data breach database. Coming hot on the heels of the 200,000th vulnerability added to VulnDB, it can be tempting to think much of the breach activity taking place over the years has been the result of the endless onslaught of software weaknesses. After all, it doesn’t take much digging to find high profile breach examples attributed to unpatched vulnerabilities (we’re looking at you, Equifax).

“If we look back through the history of how we got to 40,000 breaches, we can see what a truly difficult task it is to keep sensitive data secure, ” commented Inga Goddijn, EVP for Risk Based Security and head of Cyber Risk Analytics. “Yes, attack methods change over time and patching is more challenging than ever, but breaches can come from anywhere there is data.”

Comparing the 4,000th entry to the 40,000th highlights the point. Back in August of 2007, an employee of Spotsylvania County, Virginia was working in the conference room of a public building. She stepped away for a moment and upon her return, found the laptop she was working on was gone. Typical of the times, 3,000 sensitive records containing the personal information of fellow employees, as well as details from business licenses and property tax bills, were held directly on the machine. The laptop was password protected, but no encryption was applied.

“Stolen laptops were the number one breach type back in 2007, accounting for 22.1% of all reported breaches while exposing 2.9% of records that year,” noted Ms. Goddijn. Fast forward to 2018, and the problem of sensitive data stored on unsecured laptops has been largely addressed. There were still 51 such events in 2018, but those accounted for fewer than 1% of breaches reported. Only 253,374 records were exposed by stolen laptops last year, barely registering in the context of the 5.1 billion total records compromised.

But let’s not celebrate prematurely. Unfortunately, the problem of sensitive data on unprotected equipment has been replaced by that of sensitive data unprotected in the cloud.

The incident at Ladders, Inc became our 40,000 entry, and in many ways it’s just as typical for 2019 as the Spotsylvania County incident was for 2007. On May 1st, it was reported that an open, unprotected Elasticsearch database was left exposed on the Internet. The AWS-hosted database contained a years’ worth of user profile data and recruiters’ information. In all, upwards of 13,700,000 records were exposed in the incident.

Moving sizable databases to the cloud has come with configuration concerns that simply were not a problem in 2007. As a result, inadvertent exposure of data on the web accounted for 4.1% of breaches reported in 2018, exposing a whopping 1.9 billion (or 39.1%) records.

“Unsecured databases have become the stolen laptops of the time,” Ms Goddijn commented. “We may have conquered the equipment problem, but we are still seeing a multitude of preventable breaches; that is to say the means for avoiding the data loss in the first place is largely within the organization’s control.”

 

CRA data breach statistics - May 2019

 


 

All of the latest breach trends can be found in the soon-to-be-published Q1 2019 Data Breach QuickView Report. Check back here on May 7th, when the report becomes publicly available. In the interim, all the findings from 2018 are still available in our 2018 Year End Report.