Risk Based Security released their 2014 data breach report (available here) with some impressive numbers. I am just going to highlight a few; read the report if you would like more details.
- 3,014 data breach incidents (up 28.5%)
- 1.1 Billion records breached (up 22.3%)
- 72.5% of the incidents released less than 10,000 records
- 55.3% of the incidents released less than 1,000 records
- 83.3% were lost due to traditional hacking, with fraud and social engineering making up another 14.3%, so the breaches are overwhelmingly malicious (out for the money).
- There were 5 incidents in the all time 10 worst list
To have breaches go up by around 25% year over year is not a good sign. That 55% of the breaches released less than a thousand records and 72% released less than 10,000 records supports other statistics that small and medium businesses are the targets of hackers. This supports the First Data numbers of 70% of the breaches are against small and medium businesses.
That there were 5 breaches that made the all time top 10 list is unfortunate and they include several you probably have never heard about (the NYC taxi commission lost 173 taxi trip records).
The message is that just because you are not Home Depot or Sony, it doesn’t mean the hackers are not coming after you.
This is the time of year that people make lists, so I will also. These are not in any particular order, but the total is pretty amazing. I had already forgotten some of these —
- Michaels and its subsidiary Aaron Bros Art Framing (January) – 3.4 million records, credit and debit cards information from their POS system
- LivingSocial (April) – more than 50 million records, names, emails, birthdays and encrypted passwords stolen.
- eBay (May) – an unknown number, but eBay asked all 145 million customers to changes their passwords, so we might assume it was all of them. Usernames, encrypted email addresses and passwords were stolen
- American Express (June) – almost 76,000 California residents. Names, account numbers, expiration dates and CVS numbers were stolen. While the number of cards stolen is relatively low, since Amex doesn’t have the traditional card credit limit, the rewards might be priceless
- P.F. Changs (August) – exact number unknown. Credit card numbers, expiration dates and customer names were reportedly stolen
- Staples – 1.16 million cards. Staples said the hackers got customer names, card numbers, expiration dates and CVV numbers.
- Snapchat (October) – Almost 98,000 files were stolen and posted on The Pirate Bay. Again, not a large number, but an unfortunate number of pictures were child porn – selfies from kids under the age of understanding, err, 18.
- The Home Depot (September) – 56 million credit cards and an additional 53 million email addresses.
- JP Morgan Chase (October) – 76 million households and 8 million small businesses. Chase said that the hackers only got names, addresses and phone numbers.
- Sony (December) – Hackers broke into Sony’s, erased hundreds if not thousands of machines, stole tens of millions of files and almost got the movie The Interview cancelled. Sony is still doing damage control and trying to recover.
All in all, that is a lot of compromised information
Las Vegas Review Journal
Krebs On Security
Risk Based Security