Data breaches: It’s still personal

In a blog post last September, I highlighted how data breaches for the first half of 2016 shifted from stolen credit card data and financial information to the theft of something much more personal—identities. Unsurprisingly, this trend continued throughout the remainder of the year.

According to the recently released Breach Level Index, 1,792 data breaches led to almost 1.4 million data records being compromised worldwide, an increase of 86 percent compared to 2015. Once again, identity theft was the leading type of data breach last year, accounting for 59 percent of all data breaches. 

The second most prevalent type of breach in 2016 is account access-based breaches. While the incidence of this type of data breach decreased by 3 percent, it made up 54  percent of all breached records, which is an increase of 336 percent from the previous year.

This is a continuation of the trend I highlighted in September: Cyber criminals are moving from financial information attacks to mining bigger databases with large volumes of personally identifiable information. AdultFriendFinder (exposing a whopping 400 million records), Fling, DailyMotion and 17 Media were all large database attacks that made the short list of top-scoring breaches in 2016. By going after this personal data, cyber criminals can extort victims and/or organizations into paying fees in order to avoid having sensitive information made public.

The IoT increases the number of attack vectors

The emergence of the Internet of Things (IoT) will have a huge impact on the data breach landscape moving forward by increasing the number of attack vectors for these cyber criminals. The more access to more data they have, the more creative the attacks.

Some of these will have immediate consequences for individuals and companies, and others will take longer to identify, giving hackers the time to conduct the most drastic breaches like data integrity attacks. Organizations base their decisions on the data they have access to and often rely heavily on its validity. If hackers or governments can modify the integrity of the data, major business decisions can be manipulated, resulting in significant yet still unknown consequences.

This transition in the hacking community makes it harder for enterprises to determine the implications of attacks. As I’ve discussed before, it’s important companies take a situational awareness approach to data and identity security by knowing exactly where their data resides, the security categories of the data, and a user’s access rights to each data category. Companies can no longer assume they will be immune to attacks, but prepare a secure breach environment.