While the first half of 2015 saw more individual data incidents (2,221 versus 1,837 in first half of 2016), 2016’s breaches from Jan to July resulted in significantly more records exposed: 1.139 billion versus a “mere” 259 million in the six first months of 2015.
Perhaps the most damning findings of the mid-year Data-Breach Quick View Report are:
- First, attackers continue to have broad success using tried and true techniques – That the same techniques (and we’re not talking about zero-day attacks) pay off time and time again is a sad testament to human nature and inertia.
- Phishing and social engineering continue to work, and work well.
- Indeed, the situation with ransomware, in particular, has be become so serious that the FTC is holding a Ransomware Workshop tomorrow, Sept 7, 2016, that it will stream live – see https://www.ftc.gov/news-events/events-calendar/2016/09/fall-technology-series-ransomware
- Misconfigured databases continue to serve up large amounts of data – The majority of attacks (77.6%) so far in 2016 resulted from outside hacks that were successful due to databases with known or unpatched/uncorrected weaknesses.
- For example, a MacKeeper security researcher discovered a misconfigured MongoDB hosted on AWS servers located in the United States that contained personal information on 93.4 million Mexican voters. Breached.
- And these attacks, like lightning, hit the same target again and again. The Report notes 54 organizations in the first half of 2016 reported multiple incidents.
- Reusing log-in credentials across multiple sites can have cascading effects across many organizations – Passwords are a growing (and increasingly recognized) weakness.
- As the number of breaches grows, more and more password databases have been compromised, allowing criminals and hackers to tune their password cracking databases.
- The situation has led to the National Institute for Standards and Technology (NIST) to generate a draft of new guidelines for federal password polices, including a strong push to two-factor authentication – see Special Publication 800-63-3: Digital Authentication Guidelines at https://pages.nist.gov/800-63-3/ and a quick slide presentation by draft co-author, Jim Fenton, Toward Better Password Requirements at http://www.slideshare.net/jim_fenton/toward-better-password-requirements)
Conclusion The Report is a useful refresh to discuss with your own IT dept, to use as a check of your company’s contract templates and data protection “addendums” (like SmartedgeLaw’s state of the art exhibit) to ensure that obligations to be imposed on vendors include specific safeguards against the most common data breach incident vectors. Feel free to contact us to discuss the report at 203 307-2665 or email at firstname.lastname@example.org if you have any questions about what the Report may mean in light of your own data security and privacy efforts.