nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

World+dog had 1.4 BEEEELLION of its data records exposed last year

That's 86% up on 2015... and it's mostly identity theft

By John Leyden, 28 Mar 2017

Almost 1.4 billion data records were compromised worldwide during 2016, a whopping increase of 86 per cent compared to the year before.

The collective spill occurred across 1,792 data breaches last year, according to security firm Gemalto's latest Breach Level Index (BLI) report. Identity theft was the leading type of breach in 2016, accounting for more than 59 per cent of all break-ins. Malicious outsiders were the leading source, accounting for 68 per cent of breaches.

Last year's attack on Adult FriendFinder exposing 400 million records scored a 10 in terms of severity on the Breach Level Index. Other notable breaches in 2016 included Fling, Philippines' Commission on Elections (COMELEC) and Dailymotion. The top 10 breaches in terms of severity accounted for more than half of all compromised records. In 2016, Yahoo! reported two major data breaches involving 1.5 billion user accounts, but these do not factor in he 2016 edition of Gemalto's BLI since they occurred in 2013 and 2014.

To evaluate the severity of breaches, Gemalto takes into account factors such as the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. According to the BLI, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. The figure represents more than 3 million records compromised every day or roughly 44 records every second.

Password reuse is opening the door for hackers to mount so-called credential surfing attacks. The tactic involves making leaked ID/password combinations from the likes of the Yahoo! breach and trying them on more sensitive sites (e-commerce, webmail etc.)

"The Breach Level Index highlights four major cybercriminal trends over the past year," said Jason Hart, vice president and chief technology officer for data protection at Gemalto. "Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid."

Last year 4.2 per cent of the total breaches involved data that had been partially or fully encrypted. In some of these instances, the password was encrypted, but other information was not. Of the almost 1.4 billion records compromised, lost or stolen in 2016, 6 per cent were encrypted partially or in full (compared to 2 per cent in 2015).

"Encryption and authentication are no longer 'best practices' but necessities," Hart said. "This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation in Europe, US-based and APAC-based breach disclosure laws." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing