Follow the Data: Dissecting Data Breaches and Debunking the Myths

These past 10 years have given us some of US history's most high-profile data breaches. There was the AOL incident in 2005, where an insider leaked sensitive data. The Sony (2011) and Target (2014) incidents exposed millions of customer records. And this year alone, we saw healthcare companies (Anthem), government agencies (OPM), and even online dating services (Ashley Madison) get hit with breaches of their own. The magnitude of stolen information is staggering, and the variety of which even more so.

Much of the attention surrounding these breaches has been focused on who's affected and how they can recover. The stolen data on the other hand is treated as a lost cause. But there is so much more to learn from studying what was stolen. By following the data, we can get a picture of what attackers are looking for, how they use the data, how much it costs, and where it eventually ends up.

Numaan Huq of the Trend Micro Forward-Looking Threat Research team analyzed a decade's worth of data breach information to gain insight into the odds at play when a company suffers a breach. His probability studies will allow companies to assess their current risk levels in order to come up with better strategies to defend their networks. They also help us prove if what we know about data breaches have merit or are just mere myths.

Myth # 1: Hacking and malware are the leading causes of data breaches.

Although the news has been rife with stories of how certain malware or hacking groups were responsible for breaches, the truth is, most of them were actually caused by device loss. Overall, it accounts for 41% of all breaches compared to the 25% caused by hacking and malware. Companies may often overlook the kind of sensitive information stored on their employees' laptops, mobile devices, and even thumb drives. If any of these devices get lost, stolen, and are left unprotected, they become an easy way to steal data.

This doesn't mean, though, that hacking and malware are not serious. These kinds of threats should never be taken lightly. Compared to device loss or theft—which can be mitigated through remote device wipe, the use of virtual infrastructure, and enforcement of stricter policies—hacking and attacks using malware are more planned and deliberate. Highly customized defense solutions and strategies are required in these cases.

Myth # 2: Attackers go for personally identifiable information (PII) to reap the most data.

This is both true and false. Although PII is the most popular stolen record type, it doesn't guarantee an attacker more access to his target information. It really depends on the situation and the attacker's goal. If the aim is to get educational or health records, having a person's PII will give the attacker a higher chance of accessing those bits of information. If attackers really want to gain access to the proverbial keys to the kingdom, they would go for credentials, more specifically, the credentials of a network administrator.

Reload

Myth # 3: Using hacking or malware is the best way to steal all types of data.

Looking at the probability, this one is actually true, only because these were the most popular methods attackers used this past decade. Hacking into a network—whether using brute force, social engineering, or malware—has the highest chance of returns. The second most preferred method is through insiders. These can be disgruntled employees who leak the data on their own volition.

Myth # 4: The retail industry is the most affected by data breaches.

Although retailers have suffered many losses because of data breaches, the most affected industry was actually the healthcare sector, accounting for more than a fourth of all breaches (26.9%) this past decade. The second was the education sector (16.8%) followed by government agencies (15.9%). Retailers only come in fourth place with 12.5%. Although its share is not as big as the healthcare industry's, the effects of a breach for a high-profile retail giant can still be damaging in terms of reputation and revenue.

Myth # 5: PII is the most in-demand underground commodity in terms of breached information.

There's actually a big surplus of PII currently available in the cybercriminal underground. This has caused its price to drop significantly, from US$4 last year to US$1 this year. The same goes for credit card numbers which are now sold in bulk, regardless of card brand. Interestingly, the selling of stolen Uber accounts is gaining popularity. They're sold at around US$1.15 each.

For a more detailed look at the end-to-end journey of stolen data, check out our research paper Follow the Data: Dissecting Data Breaches and Debunking the Myths [PDF]. There, you'll see more of the research, analysis, and insights that support the findings listed here. Also flip through its companion piece, Follow the Data: Analyzing Breaches by Industry, where you'll see a breakdown of stolen data and breach methods associated with each sector.

The data set used in this research was from the Privacy Rights Clearinghouse (PRC), a non-profit corporation based in California. PRC's mission is to engage, educate, and empower individuals to protect their privacy. They do this by raising consumers' awareness of how technology affects personal privacy, and they empower consumers to take actions to control their personal information by providing practical tips on privacy protection. PRC responds to privacy-related complaints from consumers and where appropriate intercedes on the consumer's behalf/or refers them to the proper organizations for further assistance. PRC documents consumers' complaints & questions about privacy in reports and makes them available to policy makers, industry representatives, consumer advocates, media, etc. PRC advocates consumers' privacy rights in local, state, and federal public policy proceedings.

DOWNLOAD FULL REPORTS

Click to view Follow the Data: Dissecting Data Breaches and Debunking the Myths

Click to view Follow the Data: Analyzing Breaches
by Industry

Data breaches are a real risk for enterprises. Enterprises should deploy solutions like Trend Micro™ Custom Defense, which can detect, analyze and respond to advanced malware and other attack techniques which can be used by attackers in data breaches. Solutions like Trend Micro Deep Security, on the other hand, can protect data server applications and content to prevent business disruptions, while helping meet regulatory compliance, whether you are using physical, virtual, cloud or mixed-platform environments.

Integrated Data Loss Prevention in Trend Micro products can identify, track and secure all confidential data from multiple points within the organization to avoid the occurrence of unintended disclosures and the repercussions of lost devices. Endpoint Encryption ensures data privacy by encrypting data stored on endpoints—including PCs, Macs, DVDs, and USB drives.