2016 was a year of mega breaches. LinkedIn, MySpace, Yahoo and several other well known online services had suffered some sort of data breach. Billions of customers’ records from these breaches have been traded on darknet marketplaces or privately between hackers.
In this article, you will find a number of statistics which we compiled from some of the data breaches that happened in 2016. This data gives us a high-level overview of the data breaches problem.
Sources for Information About the 2016 Data Breaches Incidents
According to the non-profit organization ID Theft Resource Centre, in 2016 there were more than 1,000 data breaches in the US alone, a 40% increase from 2015. In this document, we only use a small sample from this data. We’ve chosen the incidents to use in these statistics based on the following criteria:
The affected organization is well known.
The data breach affected a wide range of people (in most cases 500,000+ leaked records).
The method of the attack that lead to the data breach is known (with the exception of the Mega breaches).
The date of the breach notification or when the data was leaked is 2016.
Let’s dive into the numbers.
The Number of Breached Records
Overall there were 61 breaches that matched the above-mentioned criteria. Through these breaches a total of 2.7 billion (2,716,114,000) confidential records were leaked.
It is worth mentioning that 1,000,000,000 of the leaked records were from the Yahoo mega data breach alone. That’s 36.82% of the stolen records that we have investigated. Even though the details of such breaches were made public in 2016, it seems this breach happened in 2013. The cause of this breach is believed to be a cookie based web application vulnerability that allowed anyone to authenticate as another user without needing to supply a password.
If we add the 500,000,000 records from the other breach Yahoo disclosed in 2016, Yahoo is responsible for way over 50% of all the stolen and leaked records.
Type of Websites That Were Breached
From the data that we have analyzed, there were websites from 13 different industries. Government websites were the most popular target, which accounted for 14 out of 61 data breaches. The second most popular category of websites was from the entertainment industry with 10 data breaches, closely followed by the gaming industry, with 8 data breaches.
Below is a graph which shows which were the most popular target based on industry/category.
This trend is not surprising at all, because of the number of nation state attacks and hacktivists that were releasing government owned data to the public.
Top 10 Data Breaches Causes
Vulnerable web applications are the top cause of data breaches, accounting for 58% of the incidents and 1,524,689,300 stolen records. In 68% of the web application hacks, the malicious hackers exploited a SQL Injection web vulnerability, making it the most popular and widely exploited vulnerability.
Below is a graph of the top 10 data breaches causes, with vulnerable web applications clearly being the top cause of data breaches. The other most popular causes are human error and phishing attacks, which can be also classified under human error.
Examples of a Successful Web Application Hack That Lead to a Data Breach
Cross Fire (Cfire.mail.ru): The attackers exploited a SQL injection vulnerability in the vBulletin forum web application used on the website, through which they stole about 13 million datasets.
Adult FriendFinder: The attackers abused a local file inclusion vulnerability in a web application, exposing more than 400 million datasets.
Linux Mint: The attackers were able to hack the website due to a vulnerability in either WordPress or one of its plugins. They stole around 145,000 datasets and also backdoored one of the ISO images.
Preventing Data Breaches
Addressing the Web Application Security Problem
Vulnerable web applications are clearly the number one cause of data breaches, accounting for a staggering 58% of the attacks. Therefore implementing a solid web application security program is definitely a good start.
Web Application Security Automation Is the Key
Web application security is not easy, especially with today’s complex technologies and ever-changing web applications with countless possible attack entries. In fact, even the big players are being caught off guard.
There is no one-stop solution, and security is a process rather than a solution, though automation is certainly the key. In fact, 58% of data breaches would have been avoided if the vulnerable web applications were scanned with a web application security scanner. Scanners can automatically detect vulnerabilities such as SQL injections, Local File Inclusions, and Cross-site Scripting.
And, most likely, that is what the attackers did; they used automated tools to scan and find vulnerabilities in the target web applications.
Addressing the Rest of the Data Breaches Causes
Apart from web application security, it is also evident that there is the need to train employees, and make them aware of the damage their tiniest and sometimes negligent actions can cause to the business and its reputation. For example:
Use strong passwords (haven’t we all heard this before, yet it is still a problem).
Don’t click on suspicious links or type your credentials into suspicious websites. Employees need to be trained and made aware of the possible dangers.
Keep your laptop and mobile equipment in close proximity, especially when traveling.
And there are also things we, the technical people, can do from our end to help the non-tech savvy staff, such as:
Enforce encryption of hard drives and mobile devices.
Enable two-factor authentication when possible.
And last but not least, make sure that all the software, network services, and other software components that are used on any server are up to date.
Should You Take Action?
Many think of IT security the same way they think of travel insurance; nothing ever happened to me when I’m abroad, I always travel to safe destinations, so why should I get insured? It is always other businesses’ websites that get hacked, I'll be fine.
The risks of having your website hacked are very high. In most cases, malicious hackers run automated tools at random, without targeting any specific website. And the ones which are flagged as vulnerable will be attacked.
So the fact that your website has never been hacked, is more a matter of luck rather than anything else. You should definitely take action before things go bottom-up. And if you are still not sure if you should take action, just read the next section.
How Much Does a Data Breach Cost?
It is very difficult to determine how much a data breach costs to a business because the long term repercussions on the business’ reputation cannot be calculated. Though once a business suffers a data breach it has to pay for the following:
Fines - if the data breach was caused because the IT systems/web applications were not compliant with the industry’s regulations, the business will be fined.
Legal fees - affected customers, business partners, and other affected parties will seek compensation for the damage they sustained.
Costs incurred for forensics work and recovering from the attack.
IBM estimates that a single stolen confidential record typically has a cost of $158. So if your business suffers a data breach of just 7,000 records, the bill to recover from that would be around $1,000,000. Can your business afford that?