The number of records lost, stolen or compromised in data breaches jumped 86% between 2015 and 2016 even though the number of breaches worldwide dropped 4% in the same period, suggesting that hackers are aiming at organizations with big databases, according to new data from digital security firm Gemalto. The growing prevalence of data breaches suggests companies may need to shift from breach prevention to breach acceptance, it said.
According to the Netherlands-based company’s Breach Level Index, released Tuesday, the world’s 1,792 data breaches in 2016 compromised almost 1.4 billion data records. Since the index began in 2013, more than 7 billion data records have been exposed, translating to over 3 million records compromised per day or 44 records per second. And because the number of records involved in a breach are sometimes not disclosed, the actual number of affected records might be much higher, Gemalto added.
“The Breach Level Index highlights four major cybercriminal trends over the past year. Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high-value targets,” Gemalto VP and Chief Technology Officer for Data Protection Jason Hart said. “Clearly, fraudsters are also shifting from attacks targeted at financial organizations to infiltrating large databases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”
Hitting close to home
North America was the world’s most popular place for a data breach in 2016, according to the data — 80% of breaches occurred there. The number of breaches in the region totaled 1,433, up 11.3% from the year before, with the vast majority (1,348) occurring in the United States.
“Attacks in [North America] resulted in the theft of 1.0 billion records, or about three quarters of all breaches worldwide (73.3%). This was up 119% from 462.5 million in 2015. As in past years, it’s likely that the predominance of North America is due to the more stringent data breach disclosure laws in the United State compared with other countries,” Gemalto added.
Victims and criminals
Financial services companies accounted for just 12% of all data breaches in 2016 — a 23% drop in one year, according to the data. Only about 11% of breaches hit tech companies, and government and health care entities accounted for 15% and 28% of all data breaches, respectively. Retailers were hit with 12% of data breaches last year.
Most breaches are intentional, according to the report. For example, the proportion of breaches attributable “malicious outsiders” such as hackers and cyber criminals exploded last year, rising from 13% in 2015 to more than two-thirds of all attacks (68%) in 2016. “Malicious insiders” commanded 9% of all breaches in 2016, and “hacktivists” led only 3% of all breaches during the year, Gemalto said. State-sponsored attacks caused just 1% of all breaches. However, accidental data losses accounted for 19% of breaches in 2016, down from 23% in 2015.
The surge in internet-connected devices such as refrigerators, cars, home alarm systems and even clothing is paving the way for more breach opportunities in the Internet of Things (IoT) area, according to the report.
“As a new era of connected devices begins, one of the most important things organizations can do is reduce the value obtained if data is stolen. Even if a hacker can access the data, it’s important to make sure there is little they can do with it,” it said.
Just 4.2% of all breaches involved data that was partially or fully encrypted, according to Gemalto. And of the almost 1.4 billion data records compromised in 2016, only 6% were partially or fully encrypted. However, that’s higher than the 2% of compromised records that were encrypted in 2015.
The shift to breach acceptance
Data breaches have become so prevalent that companies should start prioritizing the security of their actual data records rather than just focusing on the perimeter around that data, Gemalto noted. The company recommended that firms encrypt all of their sensitive data, secure the encryption keys and control user authentication and access.
“Breach prevention is an irrelevant strategy for keeping out cybercriminals. In addition, every organization already has potential adversaries inside the perimeter. In today’s environment, the core of any security strategy needs to shift from ‘breach prevention’ to ‘breach acceptance,’” it said.
