Deep Analysis of More than 60,000 Breach Reports Over Three Years
Hackers Are Winning Battles, While Victims are Gaming the Notification Laws
Threat intelligence platform provider HackNotice has analyzed more than 60,000 breach reports over the last three years, and finds some disturbing results ‒ including the rate of increase in breaches and a relative decline in the number of official breach notifications.
In its analysis, shared exclusively with SecurityWeek, the company examined 67,529 breaches that were publicly reported from 2018 to 2020. The source of the reports is as follows:
Leak reports containing data from a breached company as disclosed by hackers (41,030).
News; that is, a breach report first announced by an online news service (15,219).
With 2.7 times more breaches first being disclosed by hackers rather than a news service, the implication is that companies monitoring the news for their own or suppliers’ compromise would be better served by monitoring the dark web.
Ransomware, being data leaked by hackers when a victim refuses to pay the ransom (988).
This is not an indication of the number of successful ransomware attacks, but merely the number of companies that were breached but refused to pay the ransom in an increasingly frequent double extortion attack. The first of such breach announcements occurred in April 2020, but the number grew to almost 1,000 by January 1, 2021. The implication is that double extortion ransomware attacks are increasing and will likely continue to increase through 2021 and beyond.
Defacement, where a website has been breached and content changed by the hacker as proof (2,243).
Website defacements have long been popular with hacktivists wishing to make a point ‒ usually political and/or ethical. A decade ago they were commonplace, but seemed to lose popularity in recent years. However, according to HackNotice they began to increase again in July 2019, and then dramatically from April 2020. This is perhaps not surprising given the tumultuous state of geopolitics in recent years.
It is difficult to predict whether this will continue, but it will most likely reflect the state of national and international geopolitics. Companies working in either politically or ethically sensitive areas should take extra care in protecting their websites from defacement attacks.
Official disclosure, where a data breach was reported to official sources and disclosed ‒ such as state level DOJ websites and HHS (9131).
The interesting point here is the relatively small number of breaches, around 13.5% of the total, that are reported through official channels. This has fallen from 25% at the beginning of the period analyzed.
HackNotice, a startup headquartered in Austin, Texas, was founded in 2018. CEO and co-founder Steve Thomas told SecurityWeek, “We collect hack notices (data breaches, defacements, ransomware, etc.) from hundreds of sources, scraping official data breach disclosure sites, ransomware disclosure sites, APIs, twitter accounts and hashtags throughout the day. All those events go into a queue, where each one is reviewed by a security researcher. We remove all the noise, identify the companies being broken into, and add those events to our system. We use machine learning to analyze each event’s disclosure statement to identify what data was exposed.”
Two elements of the new analysis of breaches occurring in 2018 to 2020 are particularly interesting: the steady growth in hacker successes and the decline in the percentage of breaches disclosed through official channels.
In 2018, HackNotice discovered 29,562 reported breaches. By December 2019, the total discovered had risen to 44,863 ‒ a 51.7% increase over the year. By December 2020, the total had risen to 67,529 ‒ a 50.5% over the year. In absolute terms, these figures show an increase from 15,301 in 2019 to 22,666 in2020.
The obvious question is why have the hackers become more successful at a time when we have increased security budgets, and more and supposedly superior security products?
Thomas believes it is because companies concentrate defenses in the wrong areas. “Hackers are winning the cyberwar,” he said, “largely because they don’t target the infrastructure, but they target people. Phishing, credential stuffing, account takeover of personal accounts to get into business accounts… All the major attack vectors rely on the fact that average employees are not informed as to how exposed they are, and they value security much less than the security team does.”
Other security experts have similar views. Josh Angell, application security Consultant at Falls Church, Virginia-based nVisium, suggests, “Human error still accounts for the vast majority of breaches, making tools and secure coding practices obsolete if the people who maintain these networks and systems, and have access to company emails and sensitive client data, are not compliant with industry best practices.”
“Several factors play into the increase in breaches,” explains Brandon Hoffman, CISO at San Jose, Calif.-based Netenrich. “Some of it is indeed related to the ingenuity of the adversary but much of it seems related to the deviation from foundational security. Security tooling has advanced significantly yet the focus of security as a discipline seems to be more on the use of advanced tooling. The challenge this creates is time and resources.”
Alec Alvarado, threat intelligence team lead at San Francisco-based Digital Shadows, summarizes this viewpoint, “The bad guys are winning the war simply because they are sticking to ways that work and have proven effective. The most robust security team with the most extensive cybersecurity practices and a multi-million dollar cybersecurity budget will fail with the single click of a well-crafted phishing email or a weak password.”
The implication is clear. While hackers are becoming more sophisticated, defenders are perhaps spending too much time and effort on shiny new toys rather than getting the basics of security right.
The second notable discovery from the HackNotice research is the decline in the number of breaches that are disclosed through official channels. This seems surprising considering the growing number of national and international breach notification laws that now exist. HackNotice CEO Thomas puts the apparent anomaly down to the number of state breach laws that allow 30 days or more before notification is required.
“There is no federal breach notification law in the US, so you have to go by the states,” he told SecurityWeek. “However, each state writes its law different and the laws allow the breached company 30 days or even more before they have to disclose. News outlets, ransomware and defacement gangs end up disclosing before the official notice, so we are seeing market share being taken away from official disclosures.”
Delaying breach disclosure until the last possible moment almost seems like gaming the system. Netenrich’s Hoffman agrees with this. “We, the security industry, also suspect there is in fact flouting of the notification law or that the notification period is being abused to the maximum extent possible to provide a rosier picture for investors and the public,” he said. “To phrase it differently if an organization is breached and their notification window by law is 90 days, they will not announce it until they have used 89 days to perform maximum triage and cleanup effort so that when they do announce they can claim it has all been addressed.”
“Breach notification laws do not guarantee that companies will be willing to sacrifice investor confidence or risk lawsuits to disclose a breach every time there is one,” adds nVisium’s Angell.
Digital Shadows’ Alverado has an interesting addendum to this. He accepts that current notification laws give companies wiggle room to avoid damage to stock value and brand image, but adds, “We often hear of a company announcing that ‘there was a cybersecurity incident, but there was no indication that data was exfiltrated.’ This should raise eyebrows for most as it does not fit the typical motive of a threat actor to sit on a network and not pull data or find a way to monetize on that access.” It may be that whenever we hear ‘incident’ we should automatically suspect ‘probable breach’.
The HackNotice analysis of 60,000 breaches over the last three years provides extensive data on where things are going wrong, and highlights trends on what is likely in the future. Importantly, it shows that the criminals are winning. It is likely that at least a partial solution might be for companies to do better basic security rather just throw money at the newest and most shiny product.
It also shows that if knowing what is going on is important, a more accurate picture will be obtained from monitoring the dark web though threat intelligence rather than monitoring the news feeds. And it also shows that current breach notification laws are not truly fit for purpose.