OTA analyzes cyber incident and breach events to extract key learnings and provide guidance to help organizations of all sizes raise the bar on trust through enhanced data protection and increased defense against evolving threats.
This year’s Cyber Incident & Breach Trends Report includes ransomware, business email compromise (BEC), distributed denial-of-service (DDoS) attacks, connected device vulnerability, and more.
2018 – Some Better, Some Worse, All Bad
Looking at some of the statistics it might seem that 2018 finally brought some cyber incident relief – the number of data breaches and exposed records were down, and both ransomware and DDoS attacks were down overall. Yet the financial impact of ransomware rose by 60%, losses from business email compromise (BEC) doubled, cryptojacking incidents (the unauthorized use of others’ computing resources to conduct cryptomining) more than tripled, and there continued to be a steady stream of high-profile data breaches.
It is difficult to get a complete, accurate picture of the overall cyber incident landscape. Much like putting together a jigsaw puzzle with only a handful of key pieces, it is possible to get a sense of the overall picture, but many of the details are missing. In tracking cyber incidents, many key data “pieces” exist, but are limited for a variety of reasons – they often represent only one vendor’s view of their user base, they are typically regional and not global, it is easier to measure attacks than measure which are successful, there is a lack of consolidated reporting mechanisms, and finally, it is still the case that most incidents go unreported.
2018 Incident Highlights
95% of breaches could have been prevented (ISOC)
3.2% decrease in reported breach incidents (RBS)
5 billion records exposed, a 35.9% decrease (RBS)
$8 billion financial impact of ransomware (CV)
12% rise in business targeted ransomware (Symantec)
$12.5 billion in global EAC/BEC losses since 2013 (FBI)
Worldwide estimates. Sources: (ISOC) Internet Society, (RBS) Risk Based Security, (CV) Cybersecurity Ventures
In this context, the approach taken in this year’s report is to lay out the various key statistics and trends across the types of cyber incidents, but not come to a definitive conclusion regarding a precise number of incidents. As in prior years, the report will still outline threat trends and how to address them.
There are several organizations that track data breaches, mostly relying on public reports, though the results vary widely due to different methodologies. Risk Based Security reports the highest number at 6,515 breaches and 5 billion exposed records, both down from 2017.[1] Identity Theft Resource Center also reports on breaches, finding 1,244 in 2018 with approximately 2 billion exposed records – the number of breaches is down from 2017 while the number of sensitive records exposed (447 million) is up significantly.[2] Privacy Rights Clearinghouse reported 635 breaches and 1.4 billion exposed records in 2018, both down from 2017.[3] Though these reports do include some international breaches, they do not cover all breaches worldwide, as shown in DLA Piper’s GDPR Data Breach Survey, which surveyed data protection authorities in the EU and found 59,000 reported breaches just between May and December 2018.[4]
In 2018 there certainly were many high-volume (and therefore high-profile) breaches – a dozen exposed more than 100 million records – and they can be instructive from both a trend and lessons learned standpoint. The largest breach, which involved 1.1 billion records of Aadhaar, India’s national ID database, happened early in the year and was attributed to an unsecured API.[5] The Marriott/Starwood breach impacted 383 million people. In retrospect it was clear that attackers had been in the Starwood network since 2014 (pre-Marriott acquisition), and would have been detected by routine network checks, thus highlighting the need to perform regular security checks and due diligence.[6] [7] Under Amour had a breach of 150 million MyFitnessPal records and was lauded for its rapid and thorough response, though it was revealed that some passwords were encrypted using the weak SHA-1 hash.[8]
Finally, the Facebook/Cambridge Analytica “breach”, which impacted 87 million people, brought into the public discourse questions regarding appropriate protection, use and access to user data.[9] This sampling of top breaches runs the gamut in terms of learning opportunities – from securing third-party access (both technically and from a privacy practice standpoint), to ongoing diligence in monitoring for vulnerabilities and unauthorized access, to keeping only necessary data and securing it properly.
Ransomware was a major attack vector in 2017, and while it continued to have an impact in 2018, the overall numbers declined during the year. In its Internet Security Threat Report (ISTR) 24, Symantec reported more than 500,000 ransomware infections, which was down 20% overall from 2017, but they saw a shift toward enterprise users, which actually grew 12%.[10] Many reports hypothesize that attackers shifted to other methods such as cryptojacking where the payback was more certain and exposure was less likely. Still, ransomware continues to make headlines, especially when it cripples organizations such as the city of Atlanta, which has spent an estimated $17 million to handle the aftermath.[11] In fact, Cybersecurity Ventures estimates that ransomware will cost organizations $8 billion in 2018, growing to $20 billion in 2021.[12]
Cryptojacking became prominent in late 2017 as the price of cryptocurrency soared.[13] If an attacker can infiltrate an organization, they have many choices regarding how to use that access, and planting code that quietly uses computing resources to mine cryptocurrency is certainly one approach. Though on the surface such attacks may seem innocuous, there are real costs associated with extra energy use, sluggish performance (in which case computers might be upgraded unnecessarily, giving attackers even more resources to work with), and even failures of equipment due to heavy use. Attackers have even gone to the point of infecting websites or ads in order to utilize users’ browsers (and thereby their computers) to expand the available computing resources.[14] [15]
Trend Micro detected more than 1.3 million instances of cryptojacking code in 2018, a greater than three-fold increase from 2017.[16] Many reports cite evidence that cryptojacking attacks declined as 2018 progressed, in line with the falling value of cryptocurrency, but it is important to remember that these attackers have a foothold and can pivot to other, more lucrative forms of attack.
Distributed Denial of Service (DDoS) attacks were reported to have declined slightly in 2018, though they are still wreaking havoc in many industries. Kaspersky Labs reported a 13% decline in attacks in 2018, to approximately 160,000, while NSF Focus reported similar numbers, estimating 148,000 DDoS attacks for the year.[17] [18]
The challenge with DDoS is determining how many attacks are successful – there is no aggregated reporting and most organizations are reluctant to acknowledge their vulnerability. However, there are examples of successful attacks across a wide range of industries, ranging from banking (ABN AMRO) to education (Infinite Campus) to email services (ProtonMail) to software services (GitHub, the largest recorded DDoS attack to date).[19] [20] [21] [22] Netscout estimates that the cost of downtime averages nearly $222,000 per attack.[23]
Another form of attack – supply chain attacks – grew significantly in 2018. High-profile historical examples are the Target breach in 2013 where access was gained via a Heating, Ventilation and Air Conditioning (HVAC) vendor, the NotPetya attack in 2017 where an update to accounting software was infected and then spread widely, and the CCleaner attack in 2017 where more than 2 million infected copies of the popular computer cleanup tool were downloaded. One of the most prevalent forms seen in 2018 was “formjacking,” where attackers infect a website’s submission form via a third-party supplier or malicious code carried in ads, and then either scrape the information or infect the user. Symantec’s ISTR reported a 78% growth in supply chain attacks and estimates that nearly 5,000 websites a month contained formjacking code. The most prominent 2018 example of this type of attack was Magecart, which infected Ticketmaster, British Airways, Newegg and 800 others.[24] [25]
Business Email Compromise (BEC), also known as Email Account Compromise (EAC), attacks also grew significantly in 2018. In this attack, employees of organizations are deceived into sending funds (or equivalent, such as gift cards) as a response to emails from attackers pretending to be vendors or executives. The FBI, via its Internet Crime Complaint Center, collects reports on these incidents. In their 2018 Internet Crime Report they reported more than 20,000 BEC/EAC incidents in the U.S., resulting in nearly $1.3 billion in losses (an increase from approximately 16,000 incidents and $677 million in losses in 2017).[26] Their report in mid-2018 looked at total global BEC/EAC incidents since 2013 and reported nearly 80,000 incidents representing a total of $12.5 billion in losses. In response, in addition to filtering out suspect messages, many organizations are marking messages that originate from outside the organization as “External” and are conducting extensive training for employees.
An attack vector that also gained steam in 2018 was “credential stuffing,” wherein attackers use the large database of breached credentials to gain access to users’ accounts.[27] [28] In early 2019, several database compilations totaling more than 2 billion credentials were discovered, and Akamai reported 30 billion credential stuffing login attempts for 2018, highlighting the scale of the problem.[29] [30] According to research by Shape Security, only approximately 1% of these attacks are successful, but given the scale of the attacks, this still has an estimated impact of more than $5 billion per year.[31] High-profile victims of credential stuffing in 2018 were HSBC, Nest, Dunkin Donuts, Reddit, DailyMotion and TurboTax.[32] [33] [34] [35] In response, there has been a general call for users to use unique passwords for each service (e.g., via a password manager) and to enable multi-factor authentication where possible.
Looking across the cyber incident landscape, a rough estimate of the overall volume can be calculated. The lead categories are cryptojacking (1.3 million) and ransomware (500,000), followed by breaches (60,000), supply chain (at least 60,000 infected websites), and BEC/EAC (20,000). Credential stuffing and DDoS attack success rates are more difficult to determine, though there are significant known successes for both. Adding it all up, the Internet Society’s Online Trust Alliance estimates that there were more than 2 million cyber incidents in 2018, and it is likely that even this number significantly underestimates the actual problem.
The financial impact across all these types of incidents is also difficult to determine. While some have definitive reports (BEC/EAC at $1.2 billion in 2018) or strong estimates (ransomware at $8 billion, credential stuffing at $5 billion), others have more general estimates (average cost of data breach grew to $3.86 million according to Ponemon Institute, average cost of $222,000 per successful DDoS attack), and some are undetermined (cryptojacking, formjacking).[36] Even using these loose estimates, it is easy to justify a total impact of more than $45 billion in 2018.
All of this begs the question “are things getting better or worse”? The answer is “both” – as some types of attacks wane, others rise. What is very clear is that there are too many cyber incidents creating an unacceptable level of financial impact. As the following sections will outline, addressing these threats comes back to a basic set of core best practices that require discipline to implement and maintain.
Endnotes
[1] https://pages.riskbasedsecurity.com/2018-ye-breach-quickview-report
[2] https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINAL_V2_combinedWEB.pdf
[3] https://www.privacyrights.org/data-breaches
[4] https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf
[5] https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/
[6] https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-massive-data-breach-impacting-million-guests/
[7] https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/
[8] https://threatpost.com/under-armour-reports-massive-breach-of-150-million-myfitnesspal-accounts/130863/
[9] https://www.vice.com/en_us/article/3kjzvk/facebook-cambridge-analytica-not-a-data-breach
[10] https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf
[11] https://www.databreachtoday.com/atlantas-reported-ransomware-bill-up-to-17-million-a-11281
[12] https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
[13] https://www.wired.com/story/cryptojacking-took-over-internet/
[14] https://mashable.com/2018/01/27/coinhive-youtube-google-doubleclick/
[15] https://www.wired.com/story/make-a-wish-website-cryptojacking-hack/
[16] https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unraveling-the-tangle-of-old-and-new-threats
[17] https://securelist.com/ddos-attacks-in-q4-2018/89565/
[18] https://nsfocusglobal.com/2018-ddos-attack-landscape/
[19] https://www.abnamro.com/en/newsroom/newsarticles/2018/ddos-attacks.html
[20] https://www.infosecurity-magazine.com/news/ddos-attacks-infinite-campus/
[21] https://techcrunch.com/2018/06/27/protonmail-suffers-ddos-attack-that-takes-its-email-service-down-for-minutes/
[22] https://techcrunch.com/2018/03/02/the-worlds-largest-ddos-attack-took-github-offline-for-less-than-tens-minutes/
[23] https://www.netscout.com/report/
[24] https://www.securityweek.com/new-magecart-group-targets-french-ad-agency
[25] https://www.riskiq.com/blog/labs/magecart-adverline/
[26] https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf
[27] https://www.wired.com/story/what-is-credential-stuffing/
[28] https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/
[29] https://www.wired.com/story/collection-leak-usernames-passwords-billions/
[30] https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf
[31] https://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf
[32] https://www.zdnet.com/article/hsbc-discloses-security-incident/
[33] https://www.zdnet.com/article/dunkin-donuts-accounts-compromised-in-second-credential-stuffing-attack-in-three-months/
[34] https://www.wired.com/story/nest-cameras-pew-die-pie-north-korea-passwords/
[35] https://www.zdnet.com/article/dailymotion-discloses-credential-stuffing-attack/
[36] https://securityintelligence.com/ponemon-cost-of-a-data-breach-2018/