Breaches down 51%, exposed records set new record with 36 billion so far

The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.

records exposed 2020

“The quagmire that formed in the breach landscape this Spring has continued through the third quarter of the year,” commented Inga Goddijn, Executive VP at Risk Based Security.

“Breach disclosures continue to be well below the high water mark established just last year despite other research indicating the number of attacks are on the rise. How do we square these two competing views into the digital threat landscape?”

Factors contributing to the decline in publicly reported breaches

The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.

“We believe that the pivot by malicious actors to more lucrative ransomware attacks is another factor,” Goddijn commented.

“While many of these attacks are now clearly breach events, the nature of the data compromised can give some victim organizations a reprieve from reporting the incident to regulators and the public.

records exposed 2020

“After all, while the compromised data may be sensitive to the target organization, unless it contains a sufficient amount of personal data to trigger a notification obligation the event can go unreported.”

The Risk Based Security report covers the data breaches reported between January 1, 2020 and September 30, 2020. In addition to the latest breach data research, the report also dissects alarming trends involving the coming November election, where several US voter databases have been shared and discussed on both Russian and English speaking hacking forums.

Vulnerability reporting is returning to normal

Vulnerability reporting, still impacted by COVID-19, is beginning to return to normal, Risk Based Security reveals.

vulnerability reporting normal

Out of 11,121 vulnerabilities aggregated during the first half of 2020, 818 were the result of the Vulnerability Fujiwhara Effect, a term that describes the events when Microsoft and Oracle vulnerability disclosure schedules collide.

“Risk Based Security sounded the alarm back in January. We knew that these events would undoubtedly become a significant strain for IT staff and Vulnerability Managers,” commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

“Compared to other Patch Tuesdays this year, the highest reported ‘only’ 273 new vulnerabilities. However, during April’s Fujiwhara event we saw 506 new vulnerabilities reported, 79% of which came from seven vendors.

“Unfortunately for all of us, this is likely we can expect to occur more frequently in the future. The sheer volume makes one wonder who actually benefits from this all-at-once disclosure of vulnerabilities. Certainly not the paying customers.”

Vendors and products with the highest vulnerability counts

The report goes further into the details of the disclosure landscape by listing and breaking down the vendors and products with the highest vulnerability counts. Most notable is Microsoft, which has seen a 150% increase in the amount of vulnerabilities disclosed during the first six months of 2020 compared to the entirety of 2019. Windows 10 was the product with the most disclosed vulnerabilities by the end of Q2.

A growing concern is that, despite the high number of Microsoft vulnerabilities and the Vulnerability Fujiwhara, 29.3% of all vulnerabilities disclosed during the first half of 2020 do not have CVE ID, with 3.3% being in RESERVED status meaning that information for those vulnerabilities is not available within the CVE/NVD database.

vulnerability reporting normal

“Given the sheer amount of vulnerabilities disclosed, organizations relying on CVE/NVD will struggle to find timely and actionable intelligence,” Mr. Martin concluded.

“The bare minimum metadata found within NVD is not enough for organizations to properly prioritize and remediate. Organizations are increasing their own risk by relying on CVE to provide complete and timely data. The current level of vulnerability disclosures organizations face on a daily basis are more than CVE can handle, and it will only get worse.”

Publicly reported data breaches down 52%, exposed records way up!

Although the number of publicly reported data breaches stands at its lowest in five years, the number of records exposed is more than four times higher than any previously reported time period, a Risk Based Security report reveals.

reported data breaches down

“The striking differences between 2020 and prior years brings up many questions,” commented Inga Goddijn, Executive Vice President at Risk Based Security. “Why is the breach count low compared to prior years? What is driving the growth in the number of records exposed? And perhaps most importantly, is this a permanent change in the data breach landscape?”

The report explores in detail how supply chain disruptions, brought on by the COVID-19 pandemic, has impacted data breach reporting and influenced other trends. In addition, Risk Based Security explains the cause behind the alarming amount of records exposed.

reported data breaches down

“Misconfigured databases and services have been the key driver behind the growing number of records exposed. When entire databases are left open and freely accessible, a considerable amount of data is put at risk. It is a small handful of these events in Q2 that are responsible for the explosion in the number of records exposed. In the second quarter of 2020, just two breaches alone were responsible for more than 18 billion of the 27 billion records put at risk,” Goddijn concluded.

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals.

vulnerabilities disclosed Q1 2020

Vulnerabilities of interest disclosed in Q1 2020

Vulnerabilities disclosed in Q1 2020: What happened?

Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year.

“Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year,” commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

“It is possible, as we’ve seen with data breaches, that some researchers and companies may be slower to disclose vulnerabilities. Between drastic changes in work environments and a global pandemic, vulnerability disclosure totals may be directly impacted.”

Many vulnerabilities lacking detail in CVE

Despite the lower total number of vulnerability disclosures in Q1, security teams have their work cut out for them. 561 vulnerabilities have been identified that have a public exploit, yet do not have any detail in CVE.

Worse, 60.2% of those vulnerabilities are remotely exploitable. This is problematic for many organizations that rely on security tools that are based on CVE data and have little in the way of detection and mitigation.

vulnerabilities disclosed Q1 2020

Top ten products by vulnerability disclosures in Q1 2020, as compared to 2019

“Those vulnerabilities include issues such as remote authentication bypass, stored XSS, SQL injection, information disclosure, denial of service, and more,” Mr. Martin concluded.

“Some of these vulnerabilities are present in software from Symantec, Apple, Atlassian, ManageEngine, Nextcloud, Jetbrains, and IBM to name a few. That should give pause to anyone who has to come up with a mitigation strategy where patching ‘in the right order’ becomes a key strategy.”

Total number of publicly reported breaches in Q1 2020 down 42% compared to last year

The total number of publicly reported breaches in Q1 2020 has decreased by 42% compared to the same period last year, Risk Based Security reveals.

publicly reported breaches 2020

Publicly reported breaches in Q1 2020 drop dramatically compared to 2019

Despite this, the number of records exposed for this quarter skyrocketed to 8.4 billion – a 273% increase compared to Q1 2019, and a record for the same period since at least 2005, when detailed reporting began.

“Although the total number of publicly disclosed breaches in Q1 2020 dropped dramatically compared to 2019, this should not be interpreted as a decline in breach activity,” commented Inga Goddijn, Executive Vice President at Risk Based Security.

“We observed two factors driving this change. First, a large number of illicit data leaks and dumps were identified in early 2019, resulting in a temporary spike in activity. Similar spikes had been captured in the fall of 2018 and 2017, but this trend was absent from the start of 2020.

“The second factor is the disruption triggered by COVID-19. As the virus spread, so did a decline in breach disclosures. The turmoil that the pandemic has brought has created a unique opportunity for malicious actors and a stressful environment primed for mistakes.

“Once the dust settles, we anticipate the number of reported breaches will be on par with, if not exceed, 2019.”

publicly reported breaches 2020

A misconfigured ElasticSearch

The report explores in further detail how the pandemic, and the ensuing economic impact, has laid the groundwork for successful cyber attacks.

“The increase in records compromised was driven largely by one breach; a misconfigured ElasticSearch cluster that exposed 5.1 billion records. But even if we adjusted for this incident, the number of records still increased 48% compared to Q1 2019” commented Inga Goddijn, Executive Vice President at Risk Based Security.

“On average, hacking exposed an average of approximately 850,000 records per breach and most breaches originated from outside the organization. We are continually finding that simply meeting regulatory standards or contractual obligations do little to actually prevent a breach from occurring.”

A third of all vulnerabilities in 2019 had a CVSS v2 score of 7.0 and above

Risk Based Security’s VulnDB team aggregated 22,316 newly-disclosed vulnerabilities during 2019, finding that 37.26% had available exploit code or a Proof of Concept and that 33.43% of all vulnerabilities in 2019 had a CVSS v2 score of 7.0 and above.

2019 Year End Vulnerability QuickView Report

2019 Year End Vulnerability QuickView Report

Risk Based Security also identified a total of 302 vulnerabilities impacting Electronic Voting Machines (EVMs), 289 of which have no known solution.

“As with any device that relies on code, there are vulnerabilities that can affect the system’s integrity and you don’t want anyone tampering with them. Only 13 EVM vulnerabilities have a known solution. To make matters worse, of those, only one has a CVE ID assigned and can be found cataloged in the U.S. National Vulnerability Database,” said Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.

“EVMs with vulnerabilities have been used in past elections, and will no doubt be used again in our next elections. It doesn’t matter what politics or beliefs you subscribe to; the essence of democracy is a free, fair and secure election that captures the will of the people. The lack of visibility on this issue should be of deep concern to every American,” Martin added.

2019 Year End Vulnerability QuickView Report

Patch Tuesday

The full research is highlighted in the just released 2019 Year End Vulnerability QuickView Report. Additional key findings comment on the increasing amount of vulnerability disclosures being released on the same day due to Patch Tuesday. With 2019 reaching an all-time high of 327 vulnerabilities being disclosed in a single day, Risk Based Security maintains that the practice, despite its initial good intentions is turning into a “nightmare” for many organizations.

“Patch Tuesday was created by Microsoft and it rolled out patches in a more scheduled and consistent manner. However, as the years have passed, more and more vendors are not only co-opting the concept of Patch Tuesday, but the day itself,” Mr. Martin concludes. “What started with Microsoft has turned into a storm of vendor disclosures from major vendors like Adobe, SAP, Siemens, and Schneider Electric. More companies are starting to release on Patch Tuesday as well as at other times. Those vendors include Google, Apple, Mozilla, Intel, Cisco, F5, and Juniper. All of those potential releases are in addition to the typical disclosures seen on any average day.”

In 2019, a total of 7,098 reported breaches exposed 15.1 billion records

In 2019 the total number of records exposed increased by 284% compared to 2018, according to Risk Based Security.

2019 reported breaches

2019 saw an increase in reported breaches

In total, there were over 15.1 billion records exposed shattering industry projections. There were 7,098 breaches reported in 2019, a 1% increase on 2018, though the gap is anticipated to grow throughout Q1 2020 as more 2019 incidents come to light.

“2019 was a rough year for breach activity, with reported breaches reaching an all-time high and the number of records exposed up 284% compared to 2018” commented Inga Goddijn, Executive Vice President at Risk Based Security.

“As ghastly as those numbers are, there is much more to the story of 2019 and it’s not entirely bad news. One bright spot is that the number of incidents where sensitive data was accessible but not confirmed as taken increased to 22.6% of breaches, compared to 18% at the close of 2018.

“So, while the total number of unique records exposed was very high for certain events, the number of individuals whose data was put at risk is far fewer.”

2019: The worst year on record

However, 2019 has lived up to its reputation for being “the worst year on record” for breach activity with more breaches reported, more data exposed, and more credentials dumped online.

Since the release of the report three months ago, 7.2 billion records were compromised, with only four events accounting for 93.5% of those records. The cause? Open and misconfigured databases that were made publicly accessible to anyone motivated to seek them out.

2019 reported breaches

2019: Number of reported breaches by attack vector

“The interest in finding these rich sources of information shows little sign of abating” commented Inga Goddijn, Executive Vice President at Risk Based Security. “Thanks to the combination of low risk detection and low barrier of entry into this type of activity, we anticipate open, unsecured data will continue to be an issue well into the new decade.”

Key findings state that by NAICS economic sector, technology providers pushed the Information sector to the top spot for number of breaches, followed by the Healthcare sector.

Looking further into the data breach landscape, hacking remains the top breach type for number of incidents and exposed the most records this year.

5,183 breaches from the first nine months of 2019 exposed 7.9 billion records

According to Risk Based Security’s Q3 2019 Data Breach QuickView Report, the total number of breaches was up 33.3% compared to Q3 2018, with 5,183 breaches reported in the first nine months of 2019. Number of breaches by attack vector, reported by 9/30/19 Breach activity in 2019 Breach activity in 2019 is living up to being “the worst year on record”. Although the total number of breaches is on track to break previous year records, … More

The post 5,183 breaches from the first nine months of 2019 exposed 7.9 billion records appeared first on Help Net Security.