Security breaches seem to be occurring regularly and in increasing quantity, putting personal information at risk of exploits such as identity theft, financial fraud and extortion. They occur for various reasons, some being accidental publication, hacks, inside jobs, lost or stolen computers, lost or stolen media or just poor security measures. A few even take place in which the methodology is never identified… the data just suddenly appears “in the wild”, sometimes with no idea of how many records were even exposed.
Various organization types are routinely targeted, as well. Academic institutions, accounting firms, energy companies, financial institutions, gaming organizations, government offices and agencies, healthcare facilities and organizations, hotels, the military, retail operations, tech, telecoms… and, of course, no surprise, web entities… are all targets of malware and hackers, whose goal is to extract sensitive information.
For several reasons, the number of breaches and number of compromised records can vary greatly, depending upon the source of the information. All breaches, of course, don’t get reported to the same clearing house and the number of records is often estimated. For this article, the majority of the data I’ve used comes from Breach Level Index
This isn’t a new problem… it’s been around for decades. But is it getting worse or better? The simple answer is both. Let’s take a look at what’s been happening over the last several years.
- In 2003, AOL was breached, resulting in 92,000,000 user identities being sold by an AOL employee.
- In 2004, a total of 46,825,00 users’ data was publicly compromised from a number of financial institutions, including Ameritrade, Card Systems Solutions, Citigroup and Bank of America.
- In 2006, another financial institution, Countrywide Financial Corp., along with two telecom companies, KDDI and T-Mobile, AOL again and the US Dept. of Veteran Affairs were hit for 70,300,000 users’ data.
- 2007’s victims were over twice the previous year’s, at 153,286,405 accounts being compromised, from an array of organizations.
- 2008 was a bad year for government agencies, with the UK’s Home Office and the Ministry of Defence, the Norwegian Tax Administration and the Chilean Ministry of Education having a combined 11.7 million accounts exposed, while AT&T, Bank of New York Mellon, Stanford University, University of Miami and the University of Utah Hospital & Clinics racked up another 16.99 million victims. All told, 2008 had over 69 million accounts exposed.
- There was a massive surge in breaches in 2009, totaling 255,812,566. These were nearly all in healthcare, financial and military circles. Most notable this year was the exposure of 130 million accounts by Heartland 76 million accounts of US military veterans.
- 2010 was, by comparison, much quieter, with only a little over 15 million accounts breached. Disturbingly, however, the onslaught continued against healthcare, financial and military targets.
- 2011 returned to nearly the 2009 level, with a total of nearly 228 million breaches, spread across government, financial, academic and military entities, with some additional forays into gaming and media.
- Continuing the upward trend, 2012 brought us 372,558,858 breached accounts, primarily, once again, from government and financial, but adding some very substantial numbers in tech and web. Such heavy duties Adobe to Zappos contributed greatly to the number.
- 2013 went big, with over 3.3 billion compromises, Yahoo being the largest single contributor. Tumblr, Living Social and Evernote, along with Facebook, were other sizeable chunks of this year’s total.
- In 2014, eBay, Sony Pictures, JP Morgan Chase and Home Depot claimed the spotlight, while the year’s total of breached accounts was well over 886 million.
- 2015 was only 196 million of identified breaches, although Wendy’s, Walmart, Twitch.tv, Landry’s, Hilton, Hyatt and CVS couldn’t say how many of their customers’ accounts had been breached.
- 2016 once again heavily targeted healthcare, web and government, with a renewed focus on academic, political and telecom. 537,734,563 was the total.
- The tally for 2017 was 228,747,877, coming from large contributors like Equifax, Uber and Taringa!, but spread across a variety of niches.
- Finally, 2018 was highlighted by huge breaches at UnderArmour, Quora, Marriott Int’l. and Facebook. The year’s total was over 939 million.
In total, over this fifteen-year period, there were billions of records exposed
Based upon information from one of most conservative aggregators, here’s what it looks like in a chart. Even ignoring the peak in 2013, as you can see, there’s a steady increase from 2004 (92,000,000) to 2018 (939,092,588) – more than a tenfold increase over a 15-year period.
Have Organizations Improved Their Ability to Mitigate the Loss of Data?
There are other considerations, though. Are there more or fewer attempts over time? Has security increased sufficiently to catch breach attempts fast enough to mitigate the number of compromised accounts over that same period? Are we still as effective at locating compromised accounts in the wild? Are people being more cautious about what personal data they put out there? Let’s explore it a little.
In 2005, nearly half the reported breaches were perpetrated against educational institutions. They continued to be the largest segment victimized in 2007, 2008 and 2009 (there were barely edged out by government agencies in 2006).
By 2010, however, the emphasis had shifted to the medical community. Healthcare, medical providers and medical insurance services were the largest victims of breaches every year from 2010 through 2018 (in terms of number of breaches).
These charts show the percentage of breaches by year experienced by these four org. types:
The number of records exposed, however, was a different thing altogether. Although the medical community suffered the greatest number of attacks, they managed to keep their percentage of total records exposed in the single digits, with the exception of 2015, when 37.4% of all exposed records were in the health niche.
Similarly, the EDU niche, while suffering the largest number of attacks in 2005, 2007, 2008 and 2009, didn’t experience exposure of more than 3.5% of the total records exposed in any year from 2005 through 2018. Why were these two niches able to maintain their exposure count so low, in spite of increased attacks?
An argument could be made that learning to comply with HIPAA (the Health Insurance Portability and Accountability Act) had something to do with the medical community’s preparedness to repel or stop attacks. Since President Clinton signed the Act into law in 1990, the government zealously pursued entities who weren’t sufficiently aggressive in protecting patients’ personal information. With a decade and a half to get up to speed on monitoring and protecting patient data, it’s reasonable to assume that many such organizations were amply prepared to spot and stop many attempted intrusions.
Health entities experienced between 40 and 72% of all breaches from 2010 to 2018, while allowing the exposure of only an average of 7.1% of all the records exposed during that same timeframe. That would seem to indicate that the health entities may have been very effective at early detection and clamping down on intrusions before many records could be compromised. But to be fair, that’s just correlation and there could be other reasons.
This chart shows the number of records exposed, against the number of breaches recorded.
Personally, I doubt that people are exercising more caution with their personal data. In fact, I’d guess the opposite is true. While there’s a lot of publicity surrounding breaches and risks, I see a general “ho-hum” attitude, as though people don’t believe it could ever happen to them. The primary responsibility for protecting user data seems to fall to organizations, rather than to the individual owners of that data.
That’s not unreasonable, to a degree, but shouldn’t we all shoulder some of that responsibility? After all, we’re the ones at risk. Excluding flagrant irresponsibility on the part of an organization, is it realistic to put solely them on the hook? I say no.
Just as stated by the old saying, “a chain is only as strong as its weakest link”, a database is sometimes only as strong as the weakest password of a single user. Once a hacker (or as is more often the case, a hacker’s bot) has a figurative foot in the door, it may be able to migrate throughout that database with relative ease. That can result in theft of sensitive personal information, embedding of key-loggers, hijacking of a website and more. Sometimes, such hacks will go unnoticed, and the website will be used for sending out spam emails, redirecting users to other sites or infecting visitors with malware.
Such infections can be difficult to clean up; occasionally, the harm done is so severe as to make it preferable to simply abandon the site and the domain name.
Where is this going?
The communities of hackers and security consultants are inextricably linked, as organizations hire hackers to build more secure systems. The efforts of one bright soul on either side of the fence will soon be outdone by a slightly brighter soul on the other side. As long as a person can build a wall, someone else can make a bigger hammer to break through it. The circle continues, until, perhaps, the wall becomes too much trouble to build or breach…
That point doesn’t seem to be likely any time soon, though. So perhaps it’s time to develop a new way of managing personal data. Will that be a GDPR-esque system, where the data collected is severely limited? Will users finally refuse to surrender their data online? Is there some other method to minimize the risks of data loss?