2015 data breaches by the numbers: Still plenty of work to do
By Andrew Gertz, SafeNet
Do you want the good news or the bad news about 2015 data breaches? Truth be told, I’m a realist at heart — but one that wishes he could be an optimist – so let’s start with the good news.
Based on the Breach Level Index (BLI), the total number of data records lost or stolen in 2015 actually decreased by 39% from 2014, the year of mega breaches.
While more than 707.5 million data records were compromised in 2015, that was down from the record-setting 1.02 billion records lost or stolen in 2014. While it’s great to see that number decrease, that still means that records were lost or stolen at the following rate:
- 1.9 million records every day
- 80,766 records every hour
- 1,346 records every minute
- 22 records every second
But trying to focus on the good news, what changed from 2014 to 2015 that led to the decline? The major shift that explains it seems to be that the two industries that had the most data records lost/stolen in 2014 — retail and financial services — improved stunningly.
Retail data breaches:
2014: percent of records lost/stolen in 2014, 55%; number of records lost/stolen in 2014, 567,316,824
2015: percent of records lost/stolen in 2015, 6%; number of records lost/stolen in 2015, 40,075,707
Financial services data breaches:
2014: percent of records lost/stolen in 2014, 20%; number of records lost/stolen in 2014, 205,175,846
2015: percent of records lost/stolen in 2015, <1%; number of records lost/stolen in 2015, 1,074,043
When I call 2014 the year of the mega breach, this is why. Retail and financial services accounted for five of the top 10 data breaches recorded by the Breach Level Index in 2014.
That year’s breach of AliExpress, the affordable online marketplace owned by Alibaba, accounted for 300 million records alone. Scoring a perfect 10.0 on the BLI’s risk assessment scale, the Home Depot breach accounted for 109 million records. Take away those large-scale breaches impacting millions of customers and thus millions of records, and you can understand why the number of records lost or stolen would be down in 2015 when compared to 2014.
As mentioned above, there were 527,241,117 fewer records lost/stolen in the retail industry in 2015 compared to 2014 and 204,101,803 fewer records lost/stolen in the financial services industry.
Can you imagine what we’d be talking about right now if the Breach Level Index had needed to add the impact of a few more retail or financial services mega breaches to the 707 million tally of 2015?
Additionally, if we were to throw out 2014 data as a statistical anomaly caused by mega breaches, 707 million records lost or stolen in 2015 is then approximately 23% higher than the 575 million records lost or stolen in 2013.
Okay, so maybe I should have called that section ‘the better’ instead of ‘the good’.
While the numbers of data records lost or stolen fell, the number of data breaches in 2015 increased by 8% over 2014. In all, there were 1,673 breach incidents last year.
And though the retail and financial services industries improved tremendously over 2014, the government and healthcare sectors weren’t so lucky and have the unfortunate distinction of being the areas where the most records were lost or stolen in 2015.
Government data breaches
When the digital smoke cleared, 307,122,342 data records were lost by or stolen from agencies and other public sector entities. That represented 43% of all compromised records – an increase of 476% from 2014 for this industry – and easily made the government sector the segment most heavily impacted by breaches.
The total number of successful attacks in the government sector was 272 (16%). The average number of records exposed per attack was more than 1,129,000 compared with about 190,000 in 2014.
Some of the most notable 2015 government breaches:
- A malicious outsider breached the servers running the website of Turkey’s General Directorate of Population and Citizenship Affairs agency. This identity theft breach exposed 50 million records.
- In June 2015, a state-sponsored attack on the U.S. Office of Personnel Management compromised 22 million records – another identity theft breach. Federal officials described this as one of the largest breach of government data in the country’s history.
- Wrapping up the year, security researchers discovered an online database containing the personal information of 191 million individuals registered to vote in the U.S.
This track record may put into context the reasons why technology companies like Apple oppose government orders that could potentially compromise the effectiveness of their encryption and other security measures.
Healthcare data breaches
Though a distant second to the government sector, the healthcare trended in the wrong direction in terms of cyber security in 2015. The sector accounted for 19% of total records compromised (134 million) – an astounding increase of 217% over the 2014 data records lost by or stolen from the industry.
While it was second in terms of records lost, it was unfortunately the number one industry in terms of data breaches sustained. There were 374 healthcare data breaches in 2015, representing 22% of all breaches in the year.
This shows just how aggressively hackers are targeting healthcare organisations and the value they place on the personal information those organisations are entrusted with by patients and customers.
The Anthem Insurance breach resulted in the theft of 78.8 million records, scored a perfect 10.0 on the Breach Level Index risk assessment scale, and was the biggest healthcare breach of 2015.
If you notice, the terms “identity theft” and “personal information” keep coming up when exploring last year’s breaches.
That’s because identity theft accounted for 880 breaches – or 53% of all breaches in 2015 – and was responsible for the compromise of 40% of all data records (285 million total records).
“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks,” said our own Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto, in a press release. “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.
“As companies and devices collect ever-increasing amounts of customer information and as consumers’ online digital activities become more diverse and prolific, more data about what they do, who they are and what they like is at risk to be stolen from the companies that store their data. If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with.”
Last year, I wrote that I hoped when I sat down to write this 2015 breach wrap up that I would be able to tell you that at least the number of secure breaches — those in which encryption was used and rendered the stolen data useless — had increased.
That particular number stayed flat, as only 4% of the incidents were secure breaches. I don’t believe there can be any excuse for that in today’s data security “climate.”
We know that beyond accidental loss, which accounted for 24% of the breaches in 2015, there are those actively attempting to damage organisations and/or benefit financially from stealing data.
And they’re doing it very well.
- Malcious outsiders accomplished their mission 964 times last year, good for 58% of the breaches.
- Malicious insiders accounted for 14% of all breaches last year – 238 total incidents.
- Hacktivists and stat sponsored attacks accounted for another 36 and 33 breaches, respectively.
And yet, despite knowing that in terms of cyber security that the battle is happening on all these fronts, encryption is used in just 4% of the breaches? Organisations know that hackers are relentless in their pursuit of data, and yet that prize remains exposed?
To me, that’s unacceptable.
But, as I said, I think I’m a realist that wishes he were an optimist.
So I’ll again say that I hope that we’ll find that the silver lining to all these breaches and stolen records is that more organisations across all industries increase the adoption of two-factor authentication, data encryption, and key management best practices in order to ensure the safety of employee and customer data.
- » More tales of woe for enterprise network security, report warns
- » How Walmart – among others – fell victim to recent customer phishing scams
- » The CIO's role is moving to customer obsession - but many lack the tools to do it
- » Protecting your organisation from phishing scams: A guide
- » Why AI cybersecurity is a leap forward in threat intelligence