The financial impact of ransomware rose by 60% in 2018, losses from business email compromise (BEC) doubled, cryptojacking incidents – the unauthorised use of others’ computing resources to conduct cryptomining – more than tripled, and there continued to be a steady stream of high-profile data breaches, according to a report from the Internet Society’s Online Trust Alliance.
Describing the report’s statistics as “Some Better, Some Worse, All Bad Looking”, the Society says – “it might seem that 2018 finally brought some cyber incident relief “ – and the number of data breaches and exposed records were down, and both ransomware and DDoS attacks were down overall.
According to the Society it is difficult to get a complete, accurate picture of the overall cyber incident landscape.
“In tracking cyber incidents, many key data “pieces” exist, but are limited for a variety of reasons – they often represent only one vendor’s view of their user base, they are typically regional and not global, it is easier to measure attacks than measure which are successful, there is a lack of consolidated reporting mechanisms, and finally, it is still the case that most incidents go unreported,” the Society observes.
“In this context, the approach taken in this year’s report is to lay out the various key statistics and trends across the types of cyber incidents, but not come to a definitive conclusion regarding a precise number of incidents. As in prior years, the report will still outline threat trends and how to address them.
“There are several organisations that track data breaches, mostly relying on public reports, though the results vary widely due to different methodologies. Risk Based Security reports the highest number at 6,515 breaches and 5 billion exposed records, both down from 2017.”
1. Identity Theft Resource Center also reports on breaches, finding 1,244 in 2018 with approximately 2 billion exposed records – the number of breaches is down from 2017 while the number of sensitive records exposed (447 million) is up significantly.
2. Privacy Rights Clearinghouse reported 635 breaches and 1.4 billion exposed records in 2018, both down from 2017.
3. Though these reports do include some international breaches, they do not cover all breaches worldwide, as shown in DLA Piper’s GDPR Data Breach Survey, which surveyed data protection authorities in the EU and found 59,000 reported breaches just between May and December 2018.
4. 2018 Incident Highlights 95% of breaches could have been prevented (ISOC) 3.2% decrease in reported breach incidents (RBS) 5 billion records exposed, a 35.9% decrease (RBS) $8 billion financial impact of ransomware (CV) 12% rise in business targeted ransomware (Symantec) $12.5 billion in global EAC/BEC losses since 2013 (FBI) worldwide estimates. In 2018 there certainly were many high-volume (and therefore high-profile) breaches – a dozen exposed more than 100 million records – and they can be instructive from both a trend and lessons learned standpoint. The largest breach, which involved 1.1 billion records of Aadhaar, India’s national ID database, happened early in the year and was attributed to an unsecured API.
5 The Marriott/Starwood breach impacted 383 million people. In retrospect it was clear that attackers had been in the Starwood network since 2014 (pre-Marriott acquisition), and would have been detected by routine network checks, thus highlighting the need to perform regular security checks and due diligence.
6 Under Amour had a breach of 150 million MyFitnessPalrecords and was lauded for its rapid and thorough response, though it was revealed that some passwords were encrypted using the weak SHA-1 hash.
“In 2018 there certainly were many high-volume (and therefore high-profile) breaches – a dozen exposed more than 100 million records – and they can be instructive from both a trend and lessons learned standpoint. The largest breach, which involved 1.1 billion records of Aadhaar, India’s national ID database, happened early in the year and was attributed to an unsecured API,” the Society says
“Looking across the cyber incident landscape, a rough estimate of the overall volume can be calculated.
“The lead categories are cryptojacking (1.3 million) and ransomware (500,000), followed by breaches (60,000), supply chain (at least 60,000 infected websites), and BEC/EAC (20,000).
“Credential stuffing and DDoS attack success rates are more difficult to determine, though there are significant known successes for both.
“Adding it all up, the Internet Society’s Online Trust Alliance estimates that there were more than 2 million cyber incidents in 2018, and it is likely that even this number significantly underestimates the actual problem.
“The financial impact across all these types of incidents is also difficult to determine. While some have definitive reports (BEC/EAC at $1.2 billion in 2018) or strong estimates (ransomware at $8 billion, credential stuffing at $5 billion), others have more general estimates (average cost of data breach grew to $3.86 million according to Ponemon Institute, average cost of $222,000 per successful DDoS attack), and some are undetermined (cryptojacking, formjacking).
“Even using these loose estimates, it is easy to justify a total impact of more than $45 billion in 2018.
“All of this begs the question – are things getting better or worse?. The answer is “both” – as some types of attacks wane, others rise. What is very clear is that there are too many cyber incidents creating an unacceptable level of financial impact,” the Society concludes.