2019 midyear quickview data breach report · actors outside of the organization, yet more and more...

1 | D a t a B r e a c h I n t e l l i g e n c e Copyright © 2019 Risk Based Security, Inc. All rights reserved.

2019 MidYear QuickView

Data Breach Report Issued August, 2019

Data as of July, 2019


3,813 breaches were reported through June 30, exposing over 4.1

billion records.

Compared to midyear of 2018, the number of reported breaches was

up 54% and the number of exposed records was up 52%.

Of the breached organizations that could be definitively classified, the

Business sector accounted for 67% of reported breaches, followed by

Medical (14%), Government (12%) and Education (7%). This continues

the trend observed in the Q1 2019 report.

In Q1, three breaches were reported as exposing over 100 million

records. In Q2 another five breaches were reported as exposing 100

million records or more. Collectively, these eight breaches exposed

over 3.2 billion records or 78.6% of the total records exposed through

June 30.

The Business sector accounted for 84.6% of the records exposed

followed by Unclassified at 14.8% and Medical at 0.3%. The

Government and Education sectors combined accounted for 12.9

million records exposed through the midyear point.

Web remains the number one breach type for number of records

exposed, accounting for 79% of compromised records, while Hacking

remains the number one breach type for number of incidents,

accounting for 82% of reported breaches.

Email addresses and passwords remain prized targets, with email

addresses exposed in approximately 70% of reported breaches and

passwords exposed in approximately 65% of reported breaches.

Executive Vice President

Key Findings

This report covers the data breaches captured by Risk Based Security

during the first six months of 2019. The information collected is

displayed in a sampling of charts depicting various groupings,

classifications, insights, and comparisons of the data from midyear.

Inga found her way to information security after

working for twenty years in the insurance industry.

During her time managing a multi-million dollar

portfolio of technology and cyber insurance

coverages, Inga witnessed first-hand the impact of

ineffective security program management and the

financial fallout from data breach events.

Recognizing the need for both better data and

better processes for managing security risk, Inga

joined Risk Based Security in 2013 where she is

responsible for Cyber Risk Analytics® and

YourCISO®.

As a strong advocate for sharing knowledge, Inga

has presented at a variety of industry forums and

has led many continuing education sessions

throughout the U.S. She currently holds a CIPP/US

designation.


Table of Contents

What Did Breaches Look Like So Far in 2019? .............................................................4

How Bad Have Breaches Been? ……………….................................................................6

How Do Breaches Happen? ………………………………………………………………………………..7

A Note on Third Parties ……………………………………………………………………………………..8

Who Has Been Affected By These Breaches? ……………………………………………………..9

Closing Thoughts………………………………………………………………………………………………10

Top 10 Breaches in the First Six Months …………………………………………………………..11

Top 10 Breaches of All Time ……………………………………………………………………………..12

Methodology and Terms ………………………………………………………………………………….13


What Did Breaches Look Like So Far in 2019?

The breach trends observed in the first quarter continued and remained strong as we moved through the

midway point of the year. The disclosure rate for publicly reported breaches continued its breakneck pace,

jumping to over 3,800 breaches in the first six months. This represents a 50% or more increase over each of the

prior four years, begging the question: why?

The interest in user credentials is the key. Troves of username and password combinations continue to become

available on forums and file sharing sites while phishing for access credentials - a perennially popular method

for gaining access to systems and services - has surged in recent months, proving once again that tried and true

social engineering techniques still produce results for attackers.

The breach at Bodybuilding.com is a prime example of this trend. In July of last year, malicious actors gained

access to the company’s systems thanks to a successful phishing email. Hackers were able to move about the

system for approximately eight months, potentially accessing data ranging from customers names and

addresses to profile details and order history.

Incidents like the breach at Bodybuilding.com also explain why the Miscellaneous data type is growing. Should

something like order history and customer’s interests be captured in the profile of a breach event? We think so.

While not as sensitive as banking details or Social Security numbers, the data can be especially useful for

creating targeted phishing campaigns - so much so that organizations are beginning to warn users of the risk.

Bodybuilding.com did exactly this, stating in their FAQ’s to customers,

Despite the surge of social engineering, hacking still remains the number one breach type. Its prominence can

be linked to the growing number of vulnerabilities being reported in the cybersecurity landscape. This topic will

be further touched upon Risk Based Security’s upcoming VulnDB® MidYear QuickView Report.

Read on to learn more about the breach trends and statistics unfolding 2019.

Please note that the email from Bodybuilding.com does not ask you to click on any links or contain attachments and does not request your personal data. If

the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by Bodybuilding.com and may be an attempt to steal your personal data.


Between 2015 and 2018, the variation in the number of reported breaches was less than 200 incidents. For the

first six months of 2019, the number of breaches increased by 54% compared to the same time last year. The

reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first

half of 2019. Although these tend to be relatively small events, averaging fewer than 230 records exposed per

incident, these leaks have contributed substantially to the number of access credentials freely available on the

Internet.

Tactics, Techniques and Procedures evolve over time but the end results have remained consistent.

Unauthorized access of systems or services (Hacking) and skimmers and exposure of sensitive data on the

Internet (Web) have been the top three breach types since January of 2018. Likewise insider actions, both

malicious and accidental, have driven the number of records exposed, with Web and Fraud accounting for over

6.7 billion records exposed over the last 18 months.

Figure 1: The number of breaches added by Q2 in the past 8 years. Figure 2: The number of known records exposed (in millions) by Q2 in the past 8 years.

Figure 3: The number of breaches added for the top five breach types. Figure 4: The number of records exposed (in millions) for the top five breach types.


How Bad Have Breaches Been?

Impact - much like beauty - is in the eye of the beholder. Ask anyone that has had their identity stolen how

impactful a breach has been and you’re likely to hear a story replete with heartache and countless hours lost to

repairing the mess. For the organizations suffering the breach, the experience can be very much the same.

Customers may shrug off the inconvenience of a password reset or services being temporarily unavailable

thanks to a ransomware event, but these situations can cost organizations dearly in terms of lost productivity,

dollars spent on investigation and remediation, and loss of customer loyalty.

Records Exposed Number

Unknown 780

1 to 9 45

10 to 99 1318

100 to 999 1216

1,000 to 9,999 325

10,000 to 99,999 114

100,000 to 999,999 51

1,000,000 to 9,999,999 52

10,000,000 or above 33

Type 2019 2018 2017

Email 70% 44% 32%

Password 64% 39% 27%

Name 23% 37% 41%

Misc. 18% 19% 15%

SSN 11% 22% 27%

Credit Card 11% 16% 19%

Address 11% 22% 30%

Account 10% 7% 4%

Unknown 8% 13% 18%

Date of Birth 8% 13% 12%

Medical 5% 9% 7%

Financial 5% 13% 19%

Impact can also be assessed in terms of the type of data exposed. Access credentials such as email addresses

and passwords are valuable for use in future attacks, but can also be easily changed, unlike date of birth or

Social Security numbers. Despite this, the focus on obtaining email addresses and passwords is clear from the

analysis below.

While singular experiences will vary greatly from one situation to the next, aggregating data across the

spectrum of breaches reported in the first six months of the year is revealing. On the whole, the majority of

breaches reported this year had a moderate to low severity score and exposed 10,000 or less records. Still,

severity increased by half a point (out of ten) between Q1 and Q2, as can be seen in Figure 5.

Figure 5: Severity distribution of breaches in Q1 and Q2.

Figure 6: The percentage of breaches that exposed a particular data type.

Table 2: Percentage of data types exposed through the midyear point.

Table 1: Number of breaches per range of records exposed.


How Do Breaches Happen?

“Never interrupt your enemy when he is making a mistake.” - Napoleon Bonaparte

Quarter after quarter the pattern repeats itself. The vast majority of incidents are attributable to malicious

actors outside of the organization, yet more and more sensitive data is exposed when insiders fail to properly

handle or secure the information. Case in point, misconfigured databases and services - 149 of the 3,813

incidents reported this year - exposed over 3.2 billion records.

Attackers have taken notice. The practice of targeting open, unsecured databases to either steal data or hold it

for ransom has ebbed and flowed over the past 2 years. Most recently, in May, independent security researcher,

Sanyam Jain, identified a new campaign by a group dubbed Unistellar. The group has been credited with wiping

the contents of more than 12,500 unprotected MongoDB databases, leaving behind nothing more than a brief

note with contact information for restoration.

Unknown: 1%

Figure 7: Distribution of the attack vector, broken down by the type/motivation of attack.

Unknown: 15%

Unknown (Inside): 14%

Accidental (Inside): 58%

Malicious (Inside): 12%

Outside: 89%

Inside: 8%


A Note on Third Parties

In the first 6 months of the year, 137 breaches exposed sensitive data belonging to third parties. While some of

these events were relatively mundane, others had far-reaching implications. Perhaps none was worse than the

compromise at American Medical Collection Agency (AMCA).

Initially reported as a breach at Quest Diagnostics, it quickly became clear the breach actually occurred at AMCA.

Founded in 1977, and specializing in collections for medical labs, AMCA served some of the biggest names in

the industry.

Around August 1, 2018, only three years after AMCA converted

from an IBM mainframe system running COBOL4, hackers

infiltrated AMCA’s network and pilfered over 22 million debtors’

records including data such as names, addresses, dates of birth,

Social Security numbers and financial details.

The fallout has been substantial. Clients severed their relationship

with AMCA, consumer lawsuits were filed within days of the initial

breach disclosure and most devastating of all, AMCA was forced

into filing for bankruptcy protection a mere 2 weeks after news of

the breach made headlines.

A closer look at breaches impacting third parties, and their data,

shows a striking difference compared to all breaches in Q2. Email

addresses and passwords fall toward the bottom of the data

types compromised while names, addresses, Social Security

numbers and dates of birth climb to the top of the chart. Not only

can these breaches be more difficult to manage given the multiple

parties involved, they can also have more damaging

consequences for the individual’s whose data is exposed in the

event.

Figure 8: The number of third-party breaches added by Q2 in the past 8 years. Figure 9: The number of known third-party records exposed by Q2 in the past 8 years.

Figure 10: The percentage of third-party breaches that exposed a particular data type.


Who Has Been Affected By These Breaches?

No place is “safe” from a breach, but some countries and certain

industries are more proactive when it comes to breach disclosure

than others.

Reporting of breach events is largely

driven by a statutory obligation to do

so. Where these laws do not exist,

breaches can be swept under the rug.

Figure 11: The number of breaches by location.

Figure 12: The number of breaches affecting each business type and sub-type.

2,449

1,132


Closing Thoughts

Figure 14 highlights that US states, no matter the number of

breaches, generally didn’t expose many records by midyear 2019.

The only exception to this was California. While it had a similar

number of breach events as Florida, its breaches exposed about a

billion more records in total. It should come as no surprise that two-

thirds of breaches that occurred in California, a more technological

state that Florida, are due to hacking. This likely accounts for the

greater loss of records compared to Florida, whose incidents were

largely the result of skimming.

A better equivalence exists between Florida and Texas, as both

states have been a haven for skimmers this year. Texas, with its long

distances between metro areas, saw 91% of the skimming incidents

reported in the state occurring due to devices installed on gas

pumps. Skimming was the top breach type in Florida but the state

did see a bit more diversity, with 75% of those incidents taking place

at gas pumps and the remainder discovered on ATMs.

Looking over the first six months of the year it is difficult to find much to inspire an optimistic outlook. The number

of breaches is up and the number of records exposed remains stubbornly high. What is clear is that despite the

awareness of the issue among business leaders and the best efforts of defenders, data breaches continue to take

place at an alarming rate.

As we put the finishing touches on this MidYear report,

2019 surpassed the total number of breaches

reported in 2016. Once again, we are on track for

another “worst year on record” for breach activity.

Figure 14: The number of breaches vs records exposed (in billions), per US state. Figure 13: The number of breaches affecting each economic sector.


Top 10 Breaches in the First Six Months

Organization Reported Severity Records Exposed Data Type Breach Type Inside / Outside Location

Verifications.io 3/7/19 10 982,864,972 ADD / DOB /

EMA / FIN / MISC

/ NAA / NUM /

PWD

Web Inside- Accident Estonia

982,864,972 names, addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, personal

mortgage amounts, and FTP server credentials exposed on the Internet due to a misconfigured database

First American

Financial

Corporation

5/24/19 10 885,000,000 ADD / EMA / FIN

/ MISC / NAA /

NUM / SSN

Web Inside- Accident United States

Approximately 885,000,000 real estate closing transaction records containing names, Social Security numbers, phone numbers,

email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers exposed

on the Internet due to IDOR flaw

Cultura Colectiva 4/3/19 10 540,000,000 ACC / MISC Web Inside- Accident Mexico

Facebook user IDs, account names, comments, and likes exposed on the Internet due to a misconfigured database

Unknown

Organization

5/1/19 9.51893 275,265,298 DOB / EMA / FIN

/ MISC / NAA /

NUM

Web Inside- Accident India

275,265,298 Indian citizens' names, email addresses, genders, dates of birth, phone numbers, education details, and

employment details such as salaries, professional skills, and employer history held in publicly indexed MongoDB instance taken

by Unistellar hacking group

Unknown

Organization

1/10/19 9.3861 202,730,434 ADD / DOB /

EMA / MISC /

NAA / NUM

Web Inside- Accident China

202,730,434 job applicant names, addresses, dates of birth, phone numbers, email addresses, marriage statuses, driver’s

license numbers, professional experiences, and job expectations exposed on the Internet due to a misconfigured database

Dubsmash, Inc. 2/12/19 9.81036 161,549,210 EMA / MISC /

NAA / PWD / USR

Hack Outside United States

161,549,210 users' names, IDs, email addresses, usernames, SHA256-hashed passwords, languages, and countries stolen by

hackers and later offered for sale

Canva 5/24/19 9.74508 139,000,000 EMA / MISC /

NAA / NUM / USR

Hack Outside Australia

139,000,000 customer names, usernames, email addresses, bcrypt hashed passwords, and location information stolen by

hackers through undisclosed means

Justdial 4/17/19 9.07918 100,000,000 ADD / DOB /

EMA / MISC /

NAA / NUM

Web Inside- Accident India

100,000,000 users' names, addresses, email addresses, phone numbers, dates of birth, genders, photos, occupations, and

company names exposed online due to a publicly accessible API endpoint

ApexSMS Inc. dba

Mobile Drip

5/9/19 8.68154 80,055,125 ADD / EMA /

MISC / NAA /

NUM


80,055,125 records containing MD5 hashed email addresses, full names, partial physical addresses, IP addresses, phone

numbers, cellular network providers and line types held in a misconfigured database

Unknown

Organization

4/29/19 8.98227 80,000,000 ADD / DOB / FIN

/ MISC / NAA


80,000,000 names, addresses, ages, dates of birth, genders, incomes, marital statuses, homeowner statuses, and dwelling types

exposed on the Internet due to a misconfigured database


Top 10 Breaches of all Time

Organization Reported Severity Records

Exposed

Data Type Breach Type Inside / Outside Location

Altaba, Inc

(formerly known

as Yahoo)

12/14/16 10 3,000,000,000 DOB / EMA / MISC /

NAA / NUM / PWD


3,000,000,000 customer names, email addresses, phone numbers, dates of birth, and MD5 hashed passwords, as well as an

unknown number of security questions and answers stolen by hackers using stolen proprietary code

DU Group dba DU

Caller

5/13/17 10 2,000,000,000 ADD / NAA / NUM Web Inside China

2,000,000,000 user phone numbers, names, and addresses inappropriately made accessible to others through an uncensored

public directory

River City Media,

LLC (RCM)

3/3/17 10 1,374,159,612 ADD / EMA / FIN /

MISC / NAA


1,374,159,612 names, addresses, IP addresses, and email addresses, as well as an undisclosed number of financial documents,

chat logs, and backups exposed by faulty Rsync backup

NetEase, Inc. dba

163.com

1/25/17 10 1,221,893,767 EMA / PWD Hack Outside China

1,221,893,767 email addresses and passwords stolen by hackers and sold on the Dark Web by DoubleFlag

Unknown

Organization

1/3/18 10 1,190,000,000 ADD / EMA / MISC /

NAA / NUM / SSN

Fraud SE Unknown India

1,190,000,000 names, Aadhaar numbers, addresses, phone numbers, email addresses, postal codes, and photographs of Indian

citizens made available to unauthorized users, most likely by former village-level enterprise (VLE) operators selling access to the

Aadhaar database

Verifications.io 3/7/19 10 982,864,972 ADD / DOB / EMA /

FIN / MISC / NAA /

NUM / PWD

Web Inside- Accident Estonia

982,864,972 names, addresses, email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, personal

mortgage amounts, and FTP server credentials exposed on the Internet due to a misconfigured database

First American

Financial

Corporation

5/24/19 10 885,000,000 ADD / EMA / FIN /

MISC / NAA / NUM /

SSN


Approximately 885,000,000 real estate closing transaction records containing names, Social Security numbers, phone numbers,

email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers exposed on

the Internet due to IDOR flaw

Unknown

Organization

8/29/17 9.63002 711,000,000 EMA / MISC / PWD Web Inside- Accident Netherlands

711,000,000 email addresses, passwords, and SMTP credentials exposed on the Internet due to a misconfigured spambot

database

Cultura Colectiva 4/3/19 10 540,000,000 ACC / MISC Web Inside- Accident Mexico

540,000,000 Facebook user IDs, account names, comments, and likes exposed on the Internet due to a misconfigured database

Altaba, Inc

(formerly known

as Yahoo)

9/22/16 10 500,000,000 DOB / EMA / MISC /

NAA / NUM / PWD


500,000,000 user names, email addresses, phone numbers, dates of birth, bcrypt hashed passwords and some security questions

and associated answers compromised by hackers

Three breaches reported this year have made the list of the ten largest breaches of all time.


Methodology and Terms

Risk Based Security’s research methods include automated processes coupled with traditional human research

and analysis. Our proprietary applications crawl the Internet 24x7 to capture and aggregate potential data

breaches for our researchers to analyze. In addition, the research team manually verifies news feeds, blogs,

and other sources looking for new data breaches as well as new information on previously disclosed incidents.

The database also includes information obtained through Freedom of Information Act (FOIA) requests, seeking

breach notification documentation from various state and federal agencies in the United States. The research

team extends our heartfelt thanks to the individuals and agencies that assist with fulfilling our requests for

information.

Data Standards and the Use of “Unknown”

In order for any data point to be associated with a breach entry, Risk Based Security requires a high degree of

confidence in the accuracy of the information reported as well as the ability to reference a public source for the

information. In short, the research team does not guess at the facts. For this reason the term “Unknown” is

used when the item cannot be verified in accordance with our data validation requirements. This can occur

when the breached organization cannot be identified but leaked data is confirmed to be valid or when the

breached organization is unwilling or unable to provide sufficient clarity to the data point.

Data Type Definitions

Abbreviation Description

CCN Credit Card Numbers

SSN Social Security Numbers (or Non-US Equivalent)

NAA Names

EMA Email Addresses

MISC Miscellaneous

MED Medical

ACC Account Information

DOB Date of Birth

FIN Financial Information

UNK Unknown / Undisclosed

PWD Passwords

ADD Addresses

USR User Name

NUM Phone Number

IP Intellectual Property


About Risk Based Security Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Vendor Risk

Ratings, and Data Breaches. Our products, Cyber Risk Analytics (CRA), VulnDB and YourCISO, provide

organizations access to the most comprehensive threat intelligence knowledge bases available, including

advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the

right actions in a timely manner.

For more information, visit www.riskbasedsecurity.com or call +1 855-RBS-RISK.

About Cyber Risk Analytics

Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data

breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact

them and their vendor base. In addition, our PreBreach® vendor risk rating, the result of a deep-view into the

metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the

likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor

management programs, cyber insurance processes and risk management tools allows organizations to avoid

costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately

to proactively protect its most critical information assets.

For more information, or to request a demo, visit www.cyberriskanalytics.com.

No Warranty

Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy,

completeness or that it includes all the latest data breaches. The information contained in this report is general

in nature and should not be used to address specific security issues. Opinions and conclusions presented

reflect judgment at the time of publication and are subject to change without notice. Any use of the information

contained in this report is solely at the risk of the user. Risk Based Security, Inc. assumes no responsibility for

errors, omissions, or damages resulting from the use of or reliance on the information herein. If you have

specific security concerns please contact Risk Based Security, Inc. for more detailed data loss analysis and

security consulting services.

https://www.cyberriskanalytics.com/

https://vulndb.cyberriskanalytics.com/

https://www.yourciso.com/

https://www.riskbasedsecurity.com/



2019 midyear quickview data breach report · actors outside of the organization, yet more and more...

Documents