There is no shortage of terrifying statistics relating to data breaches online, but none hammer the point home quite so readily as the numbers found on the Breach Level Index website. Here, we find the number of breached records rising steadily, depicted in semi-real-time on the website. At time of writing, over 9 billion data records have been lost or stolen through data breaches. To frame the enormity of this number in a more easily digestible context, this means just over 5 million records are stolen every day; that’s over 3,000 records a minute, and over 60 a second. The recent revelations that Yahoo’s 3 billion accounts were all exposed in 2013 serves to illustrate the severity of the issue.
All too often, data is thought of within the (relatively) narrow confines of financial data, but it can be anything falling under the banner of PII (personal identifying information) that can be leveraged for further information, or financial gain. This could include records as diverse as purchasing habits or medical records, all of which could be disastrous for the individual if they were to fall into the wrong hands.
To make matters worse, the trend in criminals moving towards data theft is increasing - and is only going to continue to do so. According to the Breach Level Index, the number of lost, compromised or stolen records has increased by 164 per cent in the first half of 2017 - with 918 breaches leading to a staggering 1.9 billion records being compromised this year to date. This was largely due to the increased number of accounts successfully compromised in individual breaches - including up to 14 million Verizon subscribers, and a staggering 77 million users of the education platform Edmodo.
So we’ve established that breaches are happening at a markedly increased rate. But what does this actually mean for the business or individual customer whose account was compromised? And what does it mean for the unfortunate business who lost that data in the first place?
The most worrying thing about a data breach is that once an account has been lost, the problems for the account in question have only started. Typically, once a criminal has stolen information in a data breach, it will be hosted on an illegal marketplace on the dark web, and will facilitate further malicious activity.
Phishing attacks are a cybercriminal’s best friend following a data breach. The beauty of a phishing attack is that it can leverage information from almost any kind of data that has been stolen, with the aim of getting the recipient to click on a link or download a file that is likely to contain malicious software. If data pertaining to customer buying habits is stolen, for example, cybercriminals could use a targeted or “spear phishing” attack to manipulate a user into clicking on a link from a retailer they have used in the past, and are therefore more likely to trust.
This is why organisations that are unlucky enough to be breached, but have the technology and expertise in place to know about it in the first place, need to inform customers of the breach as soon as they possibly can. An example of how not to handle a breach came this week from the global household name Pizza Hut, who suffered a data breach affecting roughly 60,000 people, but did not inform them for two weeks. This then led to customers complaining about credit card fraud, the blame for which was laid firmly at Pizza Hut’s door.
This kind of fraud is collateral damage from the original data breach but the havoc can continue to spread. If financial data (such as credit cards numbers or even the name of your bank) becomes public following a breach, then the victims are left open to financial and identity fraud, which can have devastating consequences for them, and which Cifas have warned is at ‘epidemic levels’.
It isn’t just consumers who need to be quaking in their boots following data breaches, however. Breaches can also cause huge issues for the companies that lost the data in the first place. The obvious initial issue is public relations and brand reputation. Significant data breaches, such as Equifax or Yahoo!, often dominate the headlines of security publications for days following, and break through to the mainstream media as well. This causes a distinct loss of trust in the business in question, and has even been known to leave shareholders feeling nervous.
So, the devil really is in the data, both for consumers and businesses handling it. If there continues to be money in stolen data, data will continue to be stolen by malicious actors, regardless of the most stringent security solutions being in place. The question is how companies keep the damage to a minimum, and how consumers keep themselves safe in the wake of a data breach. For companies, important parts of the answer are making sure that their employees are aware of cybersecurity concerns, and regularly assessing the security of their network. Updating and patching networks can be the most simple way to keep networks safe, but it is all too often not done in time, as illustrated by the ransomware attacks on the NHS in May. And organisations need to make sure that employees, regardless of their business function, are aware of the consequences of poor security practices; how bad password hygiene, clicking on unsolicited or unusual emails and transferring data sets from a protected network to an unprotected network (such as a personal laptop) can have devastating consequences. For consumers, the advice is similar: use strong passwords, don’t share them across various accounts, and be cautious of clicking through to online offers that seem unusual, or too good to be true.
It would be naïve to think that in today’s data-centric world we could avoid all data breaches by following these simple steps, but a common-sense approach to security can go a lot further than many people realise.
Kyle Wilhoit is a senior cybersecurity threat researcher at DomainTools
Image Credit: Flickr / janneke staaks