Data breaches were rampant in 2019, occurring at an unprecedented pace. However, the first half of this year has seen a reduction in the number of reported events. Reported being the operative word.
In the first six months of 2019, more than four billion records were exposed in 3,800 publicly disclosed breaches, according to cybersecurity firm NortonLifeLock.
A publicly reported data breach is one required by state law and reported by a government official; part of a public regulatory filing such as an SEC filing; listed on a company website, social media, news release or breach notice letter or published in an accredited media publication, or disclosed by a recognized cybersecurity researcher or firm, explained James E. Lee, Chief Operating Officer at the Identity Theft Resource Center (ITRC).
The Center is a non-profit organization established to support identity theft victims in resolving their cases and to educate the public and make it aware of identity theft and associated issues such as data breaches, cyber security, scams, fraud and privacy issues.
Breaches in 2019 included:
- Bank holding company Capital One, in March: 106 million records;
- Social-planning website Evite, in August: 100 million records; and
- American Medical Collection Agency: more than 20 million records breached, which led to the firm’s filing for bankruptcy.
In all, more than 15 billion records were exposed in nearly 7,100 data breaches throughout calendar 2019.
Breaches Subside in 2020
This year however, the number of publicly reported data breaches has fallen.
“During this period, we saw less activity from many threat actors who would normally be making all kinds of havoc,” Adam Kujawa, director of Malwarebytes Labs, told TechNewsWorld. Malwarebytes Labs is the intelligence arm of antimalware software firm Malwarebytes.
The ITRC says the number of data breaches between January and June fell by 33 percent year over year.
During that period, a little more than 163 million individuals were affected by breaches — 66 percent less than in January to June 2019.
Risk Based Security says publicly reported breaches in the first half of this year fell to a five-year low, but still showed a total of 2,037. It said more than 27 billion records were exposed during that period — 12 billion more than were exposed throughout the whole of 2019.
So what gives? Why this huge discrepancy in the numbers?
Differences in methodology, ITRC’s Lee told TechNewsWorld. Risk Based Security includes information from outside the United States, while the ITRC’s data is based only on events in the U.S.
Also, as a national non-profit that provides free services to victims of identity crimes or compromises, “our focus is on the number of people impacted, not the number of records exposed,” Lee noted.
“In mass data breaches or exposures there are multiple records per person, which always means the number of records exposed will almost always be an order of magnitude higher than the number of people impacted,” he said. “There is no one-to-one correlation between people and records.”
The Reported vs. Reality Gap
Whatever methodology is used, getting the full picture of the threat from data breaches will be difficult because not all breaches are counted.
Both the ITRC and Risk Based Security count only publicly disclosed databases.
“It’s safe to assume there’s a gap” between the total number of data breaches that have actually occurred and what’s publicly reported, ITRC’s Lee said.
Further, there is less coverage per event, and delayed reporting from some sources, he pointed out. “Clearly, there is less information being disclosed.”
Each state in the U.S. has “a unique definition of what is reportable,” Lee explained. There’s a variety of regulations at both the state and federal levels governing when a security or data breach is reportable, so “it’s virtually impossible to project how large the gap is between reported events and unreported or under-reported data compromises.”
Some organizations may hesitate to report breaches because they’re afraid this will damage their reputation or make them a target for future attacks, Malwarebytes Labs’ Kujawa suggested.
There may also be a delay in reporting because “I’m sure there are thousands of breaches that companies don’t even realize have happened for a few months,” said Kujawa. Sometimes new corporate customers run a massive scan on their network after signing up with Malwarebytes and find a huge spike in some detections well after they had occurred, “so we have to modify our own stats to remove these outliers or we aren’t getting the whole story.”
The move toward working from home as a result of the pandemic, and a lack of processes for dealing with a breach, may also have slowed the reporting of data breaches, Kujawa noted.
Cybercriminals Switch Tactics
Delays in reporting are one possible reason for the reduction in the number of data breaches publicly reported; another could be that cybercriminals are now focused on leveraging the data stolen in previous breaches rather than going out and getting some more, according to ITRC’s Lee.
“The significant rise in credential stuffing attacks driving unemployment fraud — as much as US$26 billion according to the Department of Labor; data-driven phishing attacks, and ransomware attacks where data is not exfiltrated demonstrate the consumption-to-acquisition ratio has favored consumption so far this year,” Lee observed.
Malwarebytes found a surge in phishing emails using COVID-19 as a cover for malicious activity that contains commercial malware such as AveMaria and Backdoor.NetwiredRC.
These are Remote Access Trojans (RAT) programs that let a hacker gain unauthorized access to a victim’s PC to monitor user behavior, change computer settings, browse and copy files and use the PC’s Internet access for criminal activity. AveMaria targets large enterprises, while Backdoor.NetwiredRC is aimed at SMBs.
Other phishing attacks are hidden in messaging, including fake bank alerts, package delivery notifications, and eBay bids.
Cybersecurity firm Agari reported in July that a Russian criminal organization it calls “Cosmic Lynx” targets senior-level executives at large multinational organizations, mainly Fortune 500 or Global 2000 companies.
The criminals send targeted victims a faked letter from their company’s CEO instructing them to work with external legal counsel to coordinate payments needed to close the acquisition of another company. Then they send a faked letter from a real lawyer at a UK-based firm giving instructions about how to make the payments, which are funneled to mule accounts that Cosmic Lynx controls.
Cosmic Lynx asks for an average payment of about $1.3 million compared to the $55,000 most other business email compromise (BEC) attackers demand
Respite or Pattern?
One of the most high-profile phishing attacks was the Twitter breach in July, where hackers gained access to Twitter’s internal software tools and took over the accounts of President Obama, Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, and presidential candidate and former VP Joe Biden, as well as corporate accounts for Apple, Bloomberg, and Square’s CashApp.
Tweets were sent from the accounts of 45 victims to promote a Bitcoin scam that garnered 383 transactions worth about $117,000. Three people have been charged in connection with the Twitter hack, including the alleged “mastermind” who is a 17-year-old in Tampa, Fla.
The dip in data breach statistics may be a temporary condition, ITRC’s Lee noted. “At some point, data thieves will return to a more traditional pattern,” he predicted.