We thought we would start 2020 by looking backwards. Specifically looking back at the biggest data breaches of 2019, seeing how many records were breached, getting a broad understanding of the nature of the attacks and then looking forward to seeing how we can learn lessons and protect our data assets better in the future.
So how many data breaches were there?
It’s actually impossible to say with pinpoint accuracy but we have to start somewhere. SELFKEY have an excellent running blog where they summarise breaches in chronological order, over the year, as they happen. We have given it a study, analysed the data and distilled it into what we hope you will find an easy to digest and understand format.
At the time of writing this post, SELFKEY were reporting a total of 65 individual breaches with leaked records ranging from 1.2 million to 1.3 billion in number. They report a total of 5.3 billion compromised records and that doesn’t (obviously) consider the breaches that have thus far got an undetermined / undiscovered number of records divulged.
What was the nature of the breaches?
To avoid this post becoming a mass of analytics and data points we have taken a broad approach to classifying the attack methods, you’ll find brief descriptions and corresponding breach instances below:
Website / Web App Vulnerabilities (13 breaches)
Where a website or web / mobile app has inherent vulnerabilities that allow attackers to exploit. For example, the OnePlus smartphone manufacturer whose website was exploited to reveal customer phone numbers, email addresses, shipping addresses and full names.
Unknown (1 breach)
Quite simply, the nature of the breach has not been disclosed or discovered
Unprotected Server (14 breaches)
Usually a cloud instance of an unsecured or poorly secured dedicated server, often via unsecured AWS S3 buckets
Compromised Credentials (17 breaches)
Almost always this involves user credentials being appropriated by the instigation of a phishing campaign
Inside Actor (1 breach)
Where the attack was initiated by an employee / former employee or 3rd party that worked with the breached organisation. The famous Capital One breach is a good example.
Unprotected Database (12 breaches)
The advent of NoSQL based databases has changed the way unformatted, big data is stored. Unfortunately, they don’t always have the same robust, time tested security as the traditional relational DB’s common in Oracle & MS. The QuickBit breach of July where a MongoDB database was compromised is a case in point.
Malware Attack (4 breaches)
To be fair a malware attack is always delivered on the back on another attack, often due to exploiting vulnerabilities on a web server / app / site – but still worthy as a category on its own.
Human Error (3 breaches)
It could justifiably be argued that all breaches could have been avoided if not for some form of human error or lack of appropriate human intervention. But in this case, specifically, we are talking about examples where, say, a human mistakenly pressed the wrong button or forget to take the appropriate steps they were tasked with.
How can you prevent breaches?
It’s very frustrating, to say the least, that every single one of those 5billion plus leaked records could have been saved if only best practices had been followed:
- Protect your websites and apps by securely coding them in the first place. Don’t cut corners, avoid using unproven 3rd parties and hire specialists to demonstrate that you are doing your best to protect citizens personal & sensitive data, your IP and your reputation. Run quarterly vulnerability scans and pen-test at least annually.
- Secure your leaky S3 buckets! Amazon has made it easier now with their Access Analyzer feature
- Educate your staff, make them your first responders. Phishing attacks are the number one point of access for malicious actors. Deploy and mature a rigorous and comprehensive information & cyber security awareness programme across your whole workforce.
- Have a continuous vetting process for employees, build a comprehensive framework & strategy for managing the risk of 3rd Parties & Supply Chains
- When you work with large amounts of unstructured data think carefully before utilising a big data / NoSQL database. Do your research and use experts to deploy, configure & maintain the databases. Don’t expect an analyst with Oracle PL/SQL to be up to the job!
- Investigate, consult and brainstorm when it comes to investing in software security solutions, don’t allow yourself to be fall under the spell of the shiny baubles of whizz-bang vendor-led unicorn solutions.
- Work with experts, consult with award-winning professionals that can demonstrate years of experience in the provision of Information Risk Management Solutions.