In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Many of the incidents reported in 2014 were record setting, including twenty of them that resulted in the compromise of more than a million records each.
In retrospect, it can be safely said that criminals have had a tremendous run this year. But will their successes lead to any actionable change?
Many experts agree that some change will come out of 2014's security nightmare, but 2015 isn't going to be a data security utopia - records are still going to be compromised, and criminals will still target the low-hanging fruit.
If anything, 2014 will be the turning point for most security programs, as executives start to see the value in protecting data first.
According to data given to CSO Online by Risk Based Security, nearly 85 percent of the records exposed in the first nine months of this year were due to hacking (external influence), accounting for 74 percent of the reported incidents.
Thus, this year's security problems have taught organizations a valuable lesson when it comes to protecting the supply chain and offering awareness training to staff and vendors. From Phishing to weak third-party access, criminals walked in through the backdoor, and out the front, with relative ease.
"Businesses today have a maze of complex dependencies on outside service providers and suppliers. This makes a complex attack surface, and that in turn makes defenses weak. The more complex our infrastructure, the harder it is for defenders to see it all and understand its weaknesses," commented Dr. Mike Lloyd, CTO at RedSeal.
Another lesson learned this year centers on keeping all of one's eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records.
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that the JPMorgan Chase breach was a perfect example of how the damage from an incident can be reduced by segmentation.
"Attackers were able to steal millions of customer’s personal information such as names, emails, addresses, etc. However, they were unable to steal the actual financial data. That kind of data was hidden away behind another layer of security and one that was apparently impossible for attackers to get to," Kujawa said.
"If all organizations used practices similar to that, then regardless of a breach, there would be a lot less damage in the aftermath."
But, added Dr. Lloyd, while segmentation has been seen as a good idea for decades, it's something that's always been "nice-to-have."
"Today, it’s rapidly shifting to an imperative – auditors look for it, regulators demand it, and customers expect it. Cost is no longer the limiting factor – boards are willing to spend money to steer clear of the wrong kind of news coverage. The limiting factor is complexity – you can’t segment what you can’t map, and too many organizations have effectively lost the blueprints of the infrastructure they run their businesses on," he explained.
By far, the most common record type exposed in 2014 were passwords, followed by usernames, email addresses, and PII (name, address, SSN, DOB, phone number, etc.). When it comes to medical records and financials (credit cards), the volume is much lower – less than ten percent in each instance - but larger than previous years.
Criminals are starting to favor PII over financial information, because it's easier to sell and leverage. To put it simply, the banks are making it harder to use stolen credit card details due to anti-fraud advancements.
Michele Borovac, VP at HyTrust, pointed out that while it's relatively easy to cancel a credit card, it's much harder to track down and recover your identity if it's stolen.
"Attackers with a few pieces of personal information can parlay that data into new credit card applications, online account access and many other nefarious – but lucrative – activities," Borovac said.
There are plenty of examples to examine when it comes to data breaches in 2014, but some cases standout above the others. Looking back, there were two notable incidents in South Korea this year. One of them occurred due to a malicious insider, the other due to external influence.
The first incident happened in January; 104 million credit cards and 20 million records containing PII (names, Tax ID, etc.) were compromised by a worker at the Korea Credit Bureau. According to reports, the insider abused their access and copied the records to an external drive, with the intent to sell them.
The second incident happened in August. A hacker from China, along with more than a dozen others, compromised 220 million records by targeting website registrations for various games and online gambling promotions, ringtone storefronts, and movie ticketing. At scale, the incident impacted 27 million people aged 15-65, which is about 70 percent of the nation's population.
In May, eBay said that attackers compromised staff credentials and accessed a user database. As a result, the incident impacted 145 million people. While no financial information was compromised, the attackers were able view (at the very least) PII, including names, email addresses, home addresses, dates of birth, and phone numbers. Passwords are also at risk, but those were salted and hashed. Out of caution, eBay asked that all users change their passwords immediately, and warned them against Phishing scams.
With those three incidents alone, there were more than 400 million records exposed. This figure doesn't count the incidents at Home Depot, JPMorgan Chase, Michaels, Neiman Marcus, Orange, American Express, or Community Health Systems.
"Big Data leads to Big Theft," said Dr. Lloyd. "Cyber criminals are savvy about risk vs. reward – if we make big piles of data, they are willing to put in more effort to get in to take it."
HyTrust's Borovac agrees:
"The primary reason that we’re seeing breaches of this magnitude is that data and applications are becoming more concentrated. As organizations consolidate and virtualize data centers, it becomes easier for someone who gets in to get everything."
The fact that consolidation played a role in some of this year's security incidents is important, given that it also plays a role in income-generating business initiatives. Despite the fact that 2014 was a record setting year for data breaches, for most organizations security is still an after-the-fact, bolted-on additive.
"Security professionals at heart have known for over a decade now that security, like all business practices, is ultimately dictated by ROI. Until companies feel that they will lose customers due to security concerns, there is no good business reason to address them with the same attention that they do sales or any other income-generating business infrastructure piece," said Carl Vincent, security consultant at Neohapsis.
But perhaps all is not lost. Again, 2014 could be the turning point for most security programs. If so, things may start to get a bit better, Vincent explained.
"With massive wide scale breaches now coming to light, it is possible that we are now seeing the beginning of an era where the consumer evaluates a company’s security posture before choosing to use a service. If that time is upon us, perhaps an era of information security being taken seriously is upon us as well."