Category Archives: Breach Statistics

2015 Reported Data Breaches Surpasses All Previous Years

Risk Based Security has released the Data Breach QuickView report that shows 2015 broke the previous all-time record, set back in 2012, for the number of reported data breach incidents. The 3,930 incidents reported during 2015 exposed over 736 million records.

Although overshadowed by the more than one billion records exposed in the two previous years, 2015 also ranks #3 in total reported exposed records.

The 2015 Data Breach QuickView report shows that 77.7% of reported incidents were the result of external agents or activity outside the organization with hacking accounting for 64.6% of incidents and 58.7% of exposed records. Incidents involving U.S. entities accounted for 40.5% of the incidents reported and 64.7% of the records exposed.

The report also revealed that individuals’ email addresses, passwords and user names were exposed in 38% of reported incidents, with passwords taking the top spot at 49.9% of all 2015 breaches. This is especially troubling since a high percentage of users pick a single password and use it on all their accounts both personal and work related.

You can get your free copy of 2015 Data Breach QuickView report here: http://www.riskbasedsecurity.com/2015-data-breach-quickview/

Hacking Exposed 78% Of All Records Compromised In First Half Of 2014

Mid-year 2014 data breaches exposed over 502 million records far exceeding the mid-year point in 2013, the previous all-time record setting year.

We are pleased to announce the release of the next installment of Risk Based Security’s Mid Year Data Breach QuickView report.

The report shows that 2014 is on pace to replace 2013 as the highest year on record for exposed records, and the recently reported exposure of 1.2 billion email addresses and user names has not been included. The 1,331 incidents reported during the first half of 2014 exposed over 502 million records, nearing 61% of the 814 million records exposed in 2013.

The Data Breach QuickView report also revealed that individuals’ user names, passwords and email addresses were exposed in 57% of reported incidents, with passwords taking the top spot at 70.1% of all Mid-year 2014 breaches.

Risk Based Security’s research suggests that organizations in all industries, regardless of size, should take an active approach to review their networks for security vulnerabilities in their applications, infrastructure and third party libraries. By doing so, organizations can reduce the time of exposure they are facing with many of today’s threats.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of the first half of 2014’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

First Quarter 2014 Exposes 176 Million Records

Troubling Trend Of Larger, More Severe Data Breaches Continues

We are pleased to announce the release of the next installment of Risk Based Security’s Data Breach QuickView report. Analysis of data compromise activity for Q1 2014 shows that, while the number of incidents taking place remains comparable to Q1 2013, the number of records lost per incident is on the rise. The total number of records exposed in the first quarter of 2014 exceeded 176 million – or roughly a 46% increase compared to the number of records loss in Q1 2013.

The report also highlights the continuing trend of targeting user names, e-mail addresses, and passwords. Although this type of information in and of itself typically doesn’t hold the same value as Social Security or credit card numbers, this data can be the keys to opening up the doors that access more valuable information. The continued focus on this type of data may be indicative of more complex or better-planned attacks currently happening involving third-parties and on the horizon.

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here. You can view the announcement and report here.

Over 822 Million Records Exposed In 2013

The Data Breach QuickView report was just released and is possible through the partnership and combined resources of Risk Based Security and the Open Security Foundation. It is designed to provide an executive level summary of the key findings from RBS’ analysis of 2013’s data breach incidents. You can view the announcement and report here.

Has “Data Loss” Jumped The Shark?

For those who aren’t familiar with it, the phrase “jump the shark” originates with an episode of the American TV series “Happy Days”, where one of the primary characters, Fonzie, literally (at least in the show) jumps over a shark while on water skis. The episode was designed as a desperate attempt to draw in viewers since the overall content of the show had become rather, well, “bleh”. Things were never the same after that episode, and it was generally concluded that once Fonzie “jumped the shark”, the show really had nowhere else to go but up.

But it never did.

About six weeks ago, I reposted a question sent to the Data Loss mail list from an earlier post made over two years prior asking the same question. To date, the replies we have received can be counted on one hand, but the evidence shown at the top of the main DataLossDB page is somewhat clear: for the last several months, we (meaning OSF) have received less reports and have seen less news about breaches involving personally identifying information. One or two people have questioned why, and the answer is simple: we don’t know. We still look for news, we still post what we find, but the decrease in events since the beginning of the year… well, we just don’t know.

Have there actually been fewer events? Has there been a change in the way that events have been reported in the media and through other sources that might disqualify them for inclusion into DataLossDB? Does anyone have any insight into why this apparent trend might be occuring? If so, we would like to hear / read your thoughts. Please mail our curators if you have anything to comment on about this subject.

Posted by Lyger

Having “fun” with the Data Set

We recently had an inquiry regarding whether or not we could store more details about certain breaches, specifically the type of Hack (for hacked breaches) that was used, or the application that ended up being breached. Neat ideas, of course, and we’ve considered them ourselves on several occasions, given that we have OSVDB as our sister project. We’ve always wanted to use both, or tie them together, however, we run into some issues in doing so. One big one is that we rarely know the cause of a given breach. That information is simply not disclosed the vast majority of the time. Neither is the application that was exploited, in fact, I can’t recall a single instance of a specific vendor’s product being named in our data set (but I suppose there might be a couple if I looked hard enough).

Adding new fields to the database is a fairly straight-forward thing to do, but, we don’t like to do it unless we can at least somewhat consistently populate these fields. A visitor suggested Primary Sources, so for fun, we searched them.

Querying for “sql injection” yields 21 primary sources results, associated with roughly a dozen unique incidents, give or take. It was more results than I thought we’d have, anyways. But more than anything, it made me wonder what other interesting queries could be made. So, I tried a few:

Querying for “search engine” or for “google” yielded some delightful entries about stuff getting indexed.

Querying for “encryption key” had some interesting results where the encryption key had been lost with the encrypted systems/media.

My personal favorite! Querying for “no reason to believe” showed just how cliche that term is in data breach notification letters, returning over 15% of all primary sources.

Querying for “former employee” gives us a glimpse into fraud committed after employment.

Querying for “password protected” shows how common that is used as a “don’t worry” clause in breach notification letters.

Querying for “windows” yielded a few primary sources describing Windows servers that had been breached, but few.

Querying for “database” was also somewhat interesting.

There are likely hundreds of other interesting combinations. The above are just the ones we thought up. Experiment on your own, and if you find anything good let us know.

Total affected… who’s counting?

http://datalossdb.org/incidents/1127

There has been some discussion about the recent loss of a “memory stick” with the personal details of inmates in Great Britain. As the story above shows, it appears that about 84,000 prisoners may have been affected by this breach… or is that 94,000? Or… is that 130,000? Who knows… as bad as the British government apparently is about keeping anyone’s (even prisoners) personal information safe, the media is apparently equally as bad about doing that “numbers thing”.

For now, DataLossDB has this particular breach listed as 94,000 total records affected until more conclusive (coherent?) data has been obtained, but at least one question should be asked: does the total number of people affected in ANY data breach really matter? It seems that breaches with a large number of people and/or records affected get more media attention, especially when a lot of zeros and commas are in the headline, but is that really any indication of the magnitude of the real problem at hand? Now that the total number of *records* (not people) exposed is into the hundreds of millions, does the general public really think about the difference between, say, 84,000 and 94,000 records? At this point, and after years of media reports of large data breaches (i.e. TJX), are we desensitized to data breaches that affect less than, say, 10,000 people and/or records?

I don’t know the answers to those questions. Just rambling on a Saturday morning and throwing things out for thought and discussion…

And to lighten things up a bit, maybe Noah can help us out…

RIGHT. What’s a cubit?

Posted by Lyger.