Cybercriminals are stealing data at an alarming rate. Both the number of breaches and the number of files stolen globally in these hacks rose dramatically to set a new record in 2016, according to a new report from Risk Based Security. The 4,149 confirmed breaches exposed more than 4.2 billion records. That’s approximately 3.2 billion more records than were exposed in 2013, the previous all-time high.
Businesses were the prime targets, with more than half (55 percent) of the reported breaches. But hackers also attacked medical institutions and government agencies.
“The number of records compromised just went completely off the charts,” said Inga Goddijn, executive vice president of Risk Based Security. “And as staggering as they are, our numbers probably underestimate the actual criminal activity that’s taking place.”
Yahoo’s Mega Breaches
The big breaches at Yahoo reported last year — 500,000 records involved in one and more than a billion in the other — did drive up the numbers. But the Risk Based Security report shows that hundreds of other organizations had sizable breaches that impacted anywhere from 500,000 to more than 10 million records.
“So unfortunately, while the number of incidents doesn’t really seem to be on the rise, the success of stealing or compromising large amounts of information is going up,” Goddijn told NBC News.
The U.S. (1,971 incidents) and the United Kingdom (204) accounted for slightly more than half of all the reported breaches last year. Also in the top 10: Canada (119), Brazil (75), India (71), Australia (59), and Russia (49).
Breaches vary in their severity. Stealing user names and passwords or even credit card numbers is bad, but not as harmful as stealing Social Security numbers, date of birth and mother’s maiden name, or sensitive medical records.
The Risk Based Security report rated breaches for severity, based on the number of records stolen, the type of information compromised and the potential fallout from the intrusion. The ten biggest breaches last year rated an average severity score of 9.96 out of 10.
“Clearly, we are not winning the war when it comes to cyber security,” Goddijn said. “The criminals are enjoying a high degree of success right now.”
The Hackers Are Getting Better
The non-profit Online Trust Alliance (OTA) just published its 2017 Cyber Incident & Breach Response Guide, which warns that the “cyber landscape has changed dramatically over the past 12 months,” with organizations large and small being the victims of attacks that “stole, published or manipulated sensitive, personal information.” These incidents include the hack attack on the Democratic National Committee and the theft of confidential medical records of world-class athletes from the Olympic Anti-Doping Agency’s database.
Craig Spiezle, OTA’s executive director, told NBC News that no organization or government entity is immune from today’s skilled adversaries who have created highly sophisticated methods of attack.
“In the past, a lot of the breaches were opportunistic,” Spiezle said. “Now we’re seeing much more precision. They’re targeting specific companies and industry sectors and not just for consumer data, but for business data, data regarding acquisition and mergers, data that may also harm a company’s reputation.”
The Problem with Social Security Numbers
Hackers were very successful last year at getting social security numbers — the master key that unlocks our lives. It’s estimated that more than 19 million were compromised last year, according to a recent analysis of U.S. breaches by the Identity Theft Resource Center and CyberScout. The report noted that the number of breaches involving stolen SSNs is on the rise. More than half (52 percent) of the reported breaches included SSNs last year, up from 44 percent in 2015.
“While credit and debit card numbers can be changed, Social Security numbers cannot,” noted Adam Levin, chairman and founder of CyberScout. “Hackers and identity thieves continue to evolve. They are very sophisticated, extremely creative and dogged in their pursuit of what is ours.”
The ITRC/CyberScout report found that many of the corporate breaches that involve the theft of Social Security numbers result from what’s called “spear-phishing.”
These attacks start with a bogus email to a corporate executive that appears to be from a trusted employee asking to be sent all the W-2 records or some other confidential business files. If successful, the criminals will get highly sensitive data, typically information required for state and federal tax filings, as well as employee records.
“We were surprised by the scale of how successful these spear-phishing efforts were and how many of these types of breaches were reported last year,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center.
The Art of ‘Spear Fishing’
Here’s how it’s done. Crooks learn the names and titles of corporate employees from online profiles. Then they create a spoofed email address that looks very similar to the real one — maybe add a letter or drop one from the company name.
Now they’re ready to pose as an executive in the company — maybe John, the HR director — and send an email to the CEO requesting corporate records that John has the authority to see. The boss gets so much email from John that he doesn’t catch the misspelling in the URL and sends the requested files.
“Spear-phishing is such an easy thing for companies to fix because all it requires is a process in place to handle these types of requests for sensitive data,” Velasquez told NBC News. “Companies need to make sure they’re not only protecting customer data, but also employee data. They need to have mechanisms in place to ensure that requests for sensitive employee information are legitimate.”
Just last week, a hacker used a spear-phishing attack to impersonate the CEO of Sunrun, a solar company in San Francisco. The successful scam netted the crook W-2 forms for some company employees, according to a report in the San Francisco Chronicle.
…
