Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Data Breach QuickView

Data Breach QuickView
An Executive’s Guide to 2013
Data Breach Trends
Sponsored by:
Risk Based Security
Open Security Foundation
February 2014
The goal of this report is to provide an executive level summary of the key findings from RBS'
analysis of the data breach incidents reported during 2013. Please contact Risk Based Security for the
complete analysis of the 2013 data breaches and any detailed analysis required.
2013 at a Glance …











There were 2,164 incidents reported through December 31, 2013 exposing 822 million records.
A single hacking incident involving Adobe Systems exposed 152 million names, customer IDs, encrypted
passwords, debit or credit card numbers and other information relating to customer orders.
The Business sector accounted for 53.4% of reported incidents, followed by Government (19.3%),
Medical (11.5%), Education (8.2%), and Unknown (7.6%).
The Business sector accounted for 73.9% of the number of records exposed, followed by Unknown at
24.5%.
59.8% of reported incidents were the result of Hacking which accounted for 72.0% of exposed
records.
4.8% of the reported incidents were the result of Web related attacks which accounted 16.9% of
exposed records.
Breaches involving U.S. entities accounted for 48.7% of the incidents and 66.5% of the exposed records.
51.1% of the incidents exposed between one and 1000 records.
Twenty-seven incidents have exposed more than one million records.
Four 2013 incidents have secured a place on the Top 10 All Time Breach List.
The number of reported exposed records tops 2.5 billion and the number of reported incidents tracked
by Risk Based Security exceeded 11,200.
1 | Data Breach Intelligence
Copyright © 2013 Risk Based Security, Inc. All rights reserved.
Looking Back at the Last Five Years
Number of Incidents
3,500
Exposed Records
900,000,000
3,140
823M
800,000,000
3,000
700,000,000
2,500
2,164
600,000,000
2,000
413M
500,000,000
1,500
778
1,000
951
400,000,000
1,233
300,000,000
200,000,000
500
264M
193M
95M
100,000,000
-
2009
2010
2011
2012
2013
2009
2010
2011
2012
2013
2013 By Industry by Month
2013 Incidents by Industry
300
250
200
150
100
50
0
JAN
FEB
MAR
APR
Business
MAY
Government
JUN
JUL
Medical
AUG
Education
SEP
OCT
NOV
DEC
Unknown
2013 Exposed Records by Industry
100.0%
80.0%
60.0%
40.0%
20.0%
0.0%
JAN
FEB
MAR
Business
2 | Data Breach Intelligence
APR
MAY
Government
JUN
Medical
JUL
AUG
Education
SEP
OCT
NOV
DEC
Unknown
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis by Breach Type
2013 Incidents by Breach
Type
0
Hacking
Fraud Se
Documents
Web
Stolen Laptop
eMail
Unknown
Snail Mail
Snooping
Skimming
Stolen Computer
Other
500
1000
2013 Records Exposed by
Breach Type
1500
1293
152
122
103
101
69
66
46
44
34
30
104
0.0% 20.0% 40.0% 60.0% 80.0%
Hacking
72.0%
Web
16.9%
Government Seizure
7.3%
FraudSe
1.2%
Unknown
1.2%
Other
1.4%
Analysis by Threat Vector – A Deeper look at the Insider Threat
2013 Incidents by Threat Vector
InsideMalicious
9.4%
InsideAccidental
11.4%
Outside
71.2%
InsideUnknown
4.2%
71.2% of incidents
involved outside the
organization activity.
Unknown
3.8%
96.8% of exposed records involved
outside the organization activity.
3 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
All Time Incidents by Threat
Vector
A review of all reported
incidents shows a total of
31.3% of all incidents are
attributable to insider
activity vs. 2013’s 25.0%.
InsideMalicious
9.4%
Outside
63.2%
InsideAccidental
17.1%
InsideUnknown
4.8%
Unknown
5.5%
Percentage of Incidents by Threat Vector by Year
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0%
2006
Unknown
2007
2008
Insider - Malicious
2009
Outside
2010
2011
2012
Insider - Accidental
Insider-Unknown
Average Number of Records Exposed
per Incident by Vector by Year
A single incident exposed
the personal information
of 150 million customers
through Insider Fraud.
800,000
700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
2006
Unknown
2007
2008
Insider - Malicious
4 | Data Breach Intelligence
2009
Outside
2010
2011
Insider - Accidental
2013
2012
2013
Insider-Unknown
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Records Exposed by Threat Vector:
All Time
0
500
1000
Millions
1500
2000
Just 18.9% of the total
exposed records are the
result of Insider activity.
Inside-Unknown
Unknown
Inside-Accidental
Inside-Malicious
Outside
The Risk from Insiders
Much has been written about the prevalence and severity of the insider threat. The trusted user - the
person with access to systems and data - is often described as one of the most significant risks to the
security of sensitive information. But how substantial is the insider threat and what are the most
common breach methods deployed by the insider? A closer look at breaches over time reveals the risk
from the insider threat is not nearly as significant as attacks from the outside.
A review of insider breaches reveals that an accidental release of information occurs almost twice as
often as an intentional data compromise. [9.4% Malicious vs. 17.1% Accidental] An analysis of 3515
insider incidents revealed that malicious activity accounted for only 30.2% of all incidents.
Malicious Incidents by Breach Type:
All Time
3.7%
Fraud/SE
Snooping
4.5%
Stolen Document
4.8%
Hacking
Stolen Device
Unknown
Web
80.0%
Fraud/Social
Engineering is
overwhelmingly
the mode of
choice for
inside malicious
actor.
Skimming
Other
E-mail
5 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
A review of breach type in insider incidents also yields interesting results. Accidental data loss due to
activities such as errant website postings, careless equipment disposal or poor equipment management
accounted for 63.6% of insider incidents.
Inside- Accidental Incidents by Breach
Type: All Time
4.0% 1.6%
Improper Equipment Disposal
13.4%
14.7%
Lost/Missing Equipment
Web
16.7%
SnailMail/Fax
16.1%
E-mail
Unknown
33.5%
Other
2013 Analysis by Data Family
Percentage of Total
Incidents
2013
87.2%
9.3%
3.2%
.03%
Data Family
Electronic
Physical
Other
Unknown
Percentage of Total
Lost Records
2013
99.9%
<0.1%
<0.1%
< 0.1%
Nearly 90% of all incidents
involved electronic data and
nearly 100% of the exposed
records were in electronic form.
2013 Analysis by Data Type
2013 Incidents by Data Type Exposed
Credit Card Number
Date of Birth
Medical
Phone Number
Misc.
SSN
Address
User Name
eMail
Name
Password
0.0%
10.4%
12.2%
13.3%
13.3%
15.6%
18.5%
18.7%
37.4%
39.0%
41.4%
47.8%
10.0%
6 | Data Breach Intelligence
20.0%
30.0%
40.0%
50.0%
60.0%
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis by Industry Sub Type
2013 Incidents by Industry Sector
Other
12.4%
County Govt.
1.9%
State Govt.
2.9%
Media
3.6%
Service Providers
5.0%
Financial
5.3%
Organizations
5.4%
Universities
5.5%
Retail
7.0%
Medical/Hospitals
7.5%
Unknown
7.6%
Federal Govt.
8.3%
Technology
8.8%
Business
18.8%
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
2013 Exposed Records by Industry Sector
Others
1.0%
Universities
0.4%
Medical
0.6%
Data
1.2%
Business
8.0%
Retail
14.2%
Unknown
24.5%
Technology
50.2%
0%
10%
20%
30%
40%
50%
60%
A single hacking incident involving Adobe Systems exposed 152
million customer names, IDs, encrypted passwords, debit or credit
card numbers and other information relating to customer orders.
7 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis of Records per Incident
Exposed Records
Unknown
< 1,000
< 10,000
< 100,000
< 500,000
< 1,000,000
< 10,000,000
> 10,000,000
Number of
Incidents
571
1677
1991
2104
2129
2138
2153
11
Percent of
Total
26.4%
77.5%
92.0%
97.2%
98.4%
98.8%
99.5%
0.5%
51.1% of incidents
exposed between 1 and
1,000 records.
Exposed Records
The number of exposed
records was reported as
“Unknown” in 26.4% of
the 2013 incidents.
1 - 1,000
1,001 - 10,000
10,001 - 100,000
100,001 - 500,000
500,001 - 1,000,000
1,000,001 - 10,000,000
Number of
Incidents
1106
314
113
25
9
11
Percent of Total
51.1%
14.5%
5.2%
1.2%
0.4%
.7%
Incidents by Records Exposed
90%
Percent of Total Incidents
80%
Unknown
70%
1 < 100
60%
1 < 1,000
50%
1 < 10,000
40%
1 < 100,000
30%
1 < 1.0M
20%
> 1.0M
10%
> 10.0M
0%
2008
2009
8 | Data Breach Intelligence
2010
2011
2012
2013
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis of Breach Types/Records
Breach Type
Fraud/Social Engineering
Hacking
Unknown
Missing/Lost/Stolen Drive
Web
eMail
Government Seizure
Snail Mail
Other
Lost/Stolen/Missing Documents
Stolen Laptop
Stolen Computer
Skimming
Virus
Improper Disposal
Total
Number of
Incidents
Number of Records
Exposed
152
1293
66
30
103
69
1
46
78
62
106
30
34
29
65
2164
102,21,936
592,596,691
9,732,565
764,970
138,648,221
730,924
60,000,000
318,678
234,576
70,508
1,996,320
4,189,553
982
2,680,753
322,886
822,509,563
Average Records per
Incident
67,250
458,311
147,463
25,499
1,346,099
10,593
60,000,000
6,928
3,007
1,137
18,833
139,652
29
92,440
4,967
A single Government seizure of computers accounted for 60 million records
Web related breaches accounted for the 2nd highest records/incident average
Hacking was #3 in records/incident and #1 in percentage of records exposed
Breach Type
Fraud/Social Engineering
Hacking
Unknown
Missing/Lost/Stolen Drive
Web
eMail
Government Seizure
Snail Mail
Other
Lost/Stolen/Missing Documents
Stolen Laptop
Stolen Computer
Skimming
Virus
Improper Disposal
Total
9 | Data Breach Intelligence
Number of
Incidents
152
1293
66
30
103
69
1
46
78
62
106
30
34
29
65
2164
Percent of Total
Incidents
Number of Records
Exposed
7.02%
59.75%
3.05%
1.39%
4.76%
3.19%
0.05%
2.13%
3.60%
2.87%
4.90%
1.39%
1.57%
1.34%
3.00%
100.00%
102,21,936
592,596,691
9,732,565
764,970
138,648,221
730,924
60,000,000
318,678
234,576
70,508
1,996,320
4,189,553
982
2,680,753
322,886
822,509,563
Percent of Total
Records Exposed
1.24%
72.05%
1.18%
0.09%
16.86%
0.09%
7.29%
0.04%
0.03%
0.01%
0.24%
0.51%
0.00%
0.33%
0.04%
100.00%
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis by Country
2013 Incidents by
Location
2013 Exposed Records by
Location
Unknown
0.3%
Unknown
12.4%
Other
33.2%
USA
45.5%
Other
42.1%
Incidents
Ranking
1
2
3
4
5
6
7
8
9
10
USA
66.5%
Number of
Incidents
1054
120
58
50
44
35
30
29
29
23
USA and
South Korea
account for
83.6% of
records.
Country
United States
United Kingdom
Canada
India
Brazil
Germany
Australia
Italy
France
New Zealand
Exposed
Records
Ranking
1
2
3
4
5
6
7
8
9
10
10 | Data Breach Intelligence
Percentage of
Incidents
48.7%
5.5%
2.7%
2.3%
2.0%
1.6%
1.4%
1.3%
1.3%
1.1%
Country
United States
South Korea
Australia
Sweden
Japan
China
United
Kingdom
Taiwan
Germany
Canada
USA and UK
account for
54.2% of
incidents.
Total Exposed
Records
546,846,693
140,238,121
42,672,848
29,000,002
22,162,392
12,012,056
Percentage
of Exposed
Records
66.5%
17.1%
5.2%
3.5%
2.7%
1.5%
11,669,949
6,468,738
2,101,718
1,564,966
1.4%
0.8%
0.3%
0.2%
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
2013 Analysis of US State Rankings
2013 Incidents by US State - Top 10
Maryland
Pennsylvania
Massachusetts
Arizona
Illinois
Georgia
Texas
New York
Florida
California
27
28
35
35
37
41
48
79
82
145
-
Rank
1
2
3
4
5
6
7
8
9
10
20
40
60
State
California
Minnesota
District of Columbia
Illinois
Missouri
Virginia
Arizona
New Jersey
New York
Texas
80
100
120
140
160
Records Exposed
369,950,860
110,019,930
51,307,302
4,054,585
3,274,162
2,282,211
1,954,834
789,734
660,094
375,796
USA 2013 Incidents Heat Map
Legend
> 100
51 - 99
26 - 50
11 - 25
0 - 10
11 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Repeat Offenders
2013 Review: 260 Organizations were repeat offenders in 2013
In the seemingly endless onslaught of breach disclosures in 2013, some stories had a more familiar ring
than others. Not because it was another successful hacking event or a string of victims left in the wake of
the latest malware. Rather, the organizations involved were reporting their second, third or fourth
breach. In fact, 260, or roughly 12%, of the breaches disclosed in 2013 represented a subsequent incident
for the impacted organization. Sixty organizations reported multiple incidents during 2013.
2006 – 2013 Review: Twenty-eight Organizations reported 10 or more incidents
More than two dozen organizations have experienced ten or more breaches, with one organization
suffering 48 events in the past 8 years. Interestingly, only six industry sectors were represented among
the 28 organizations: Data Brokers, Federal Agencies, Universities, Financial Institutions, Tech Firms and
one integrated managed care consortium.
A wider review of all industries reveals the following five industry sectors as having organizations more
likely to experience multiple incidents.
Top 5 Industry Sectors Experiencing Muliple Breaches
Hospitals
Technology Service Providers
180
212
314
Federal Agencies
391
Financial Services
565
Universities
Number of Repeat Incidents
Hacking stands out as a leading breach type in the multiple incident dataset.
Breach Types for Organizations Experiencing
Mulitple Incidents: 2006 -2013
Stolen Document
Improper Document Disposal
Stolen Computer
E-mail Disclosure
Unknown
Improper Mailing
Web-based Disclosure
Stolen Laptop
Fraud/Social Engineering
Hacking
12 | Data Breach Intelligence
82
96
100
125
131
148
308
319
373
776
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Top 10 Incidents All Time
Breach
Reported
Date
Highest All
Time
10/3/2013
Number 2
3/17/2012
Number 3
6/8/2013
Number 4
1/20/2009
Number 5
12/18/2013
Number 6
1/17/2007
Number 7
6/1/1984
Number 8
7/16/2008
Number 9
4/26/2011
Number 10
3/13/2013
Summary
Hack of company systems exposed
customer names, IDs, encrypted
passwords and debit/credit card
numbers with expiration dates,
source code and other information
relating to customer orders
Firm may have illegally bought and
sold customers' information
North Korean Hackers expose email
addresses and identification numbers
Hack/Malicious Software exposes
credit cards at processor
Hack exposed customer names,
addresses, phone numbers, email
addresses, as well as credit/debit card
numbers with expiration dates, PINs
and CVV numbers
Hack exposes credit cards and
transaction details
Hack exposes credit-reporting
database
Glitch during testing new design
exposed users' birth dates
Hack exposes names, addresses, email
addresses, birthdates, PlayStation
Network/ Qriocity passwords and
logins, PSN online ID, profile data,
purchase history and possibly credit
card numbers
A flaw in the site’s API exposed users'
email addresses
13 | Data Breach Intelligence
Records
Exposed
Organization’s
Name
IndustrySector
Breach
Location
152
Million
Adobe Systems,
Inc.
Business Technology
United
States
150
Million
Shanghai
Roadway D&B
Marketing
Services Co. Ltd
Business Data
China
140
Million
Unknown
Organizations
Unknown
South
Korea
130
Million
Heartland
Payment Systems
Business Finance
United
States
110
Million
Target Brands, Inc.
Business Retail
United
States
Business Retail
Business Data
BusinessTechnology
United
States
United
States
United
States
94
Million
90
Million
80
Million
TJX Companies
Inc.
TRW
Facebook, Inc.
77
Million
Sony Corporation
Business Retail
United
States
70
Million
Pinterest
BusinessTechnology
United
States
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Methodology & Terms
Risk Based Security’s proprietary application crawls the Internet 24x7 to capture and aggregate data breach
incidents for our researchers to analyze. In addition, our researchers, in partnership with the Open Security
Foundation, manually scour news feeds, blogs, and other websites looking for new data breaches as well as
past breaches that requiring updating. The database also includes information obtained through Freedom of
Information Act (FOIA) requests to obtain breach notification documents as a result of state notification
legislation.
Definitions: Primary Industry types/sectors are reported as Business, Educational, Government, Medical and
Unknown.
Each primary industry/sector is further defined by one of the following subtypes: Retail, Financial,
Technology, Medical (Non-Hospital and non Medical Provider), Federal Government, Data
Services/Brokerage, Media, University, Industry, State Government, Not-For-Profit, County Government,
Organization, Hospital, High School, Insurance, City Government, Hotel, Legal, Elementary School,
Educational, Business, Government, Service Provider, and Agriculture.
Data Types: Name, Address, Date of Birth, Email, User Name, Password, Social Security Number, Credit
Card or Debit Card Number, Medical Information, Financial Information, Account Information, Phone
Numbers, Intellectual Property, and Unknown.
Breach Types are defined as follows:
Name
Disposal Computer
Disposal Document
Disposal Drive
Disposal Mobile
Disposal Tape
Email
Fax
Fraud SE
Hack
Lost Computer
Lost Document
Lost Drive
Lost Laptop
Lost Media
Lost Mobile
Lost Tape
Missing Document
Missing Drive
Missing Laptop
Missing Media
Other
Phishing
Seizure
Skimming
Snail Mail
Snooping
Stolen Computer
Stolen Document
Description
Discovery of computers not disposed of properly
Discovery of documents not disposed of properly
Discovery of disk drives not disposed of properly
Discovery of mobile devices not disposed of properly
Discovery of backup tapes not disposed of properly
Email communication exposed to unintended third party
Fax communication exposed to unintended third party
Fraud or scam (usually insider-related), social engineering
Computer-based intrusion
Lost computer (unspecified type in media reports)
Discovery of documents not disposed of properly, not stolen
Lost data drive, unspecified if IDE, SCSI, thumb drive, etc)
Lost laptop (generally specified as a laptop in media reports)
Media (e.g. disks) reported to have been lost by a third party
Lost mobile phone or device such as tablets, etc
Lost backup tapes
Missing document, unknown or disputed whether lost or stolen
Missing drive, unknown or disputed whether lost or stolen
Missing laptop, unknown or disputed whether lost or stolen
Missing media, unknown or disputed whether lost or stolen
Miscellaneous breach type not yet categorized
Masquerading as a trustworthy entity in an electronic communication to obtain data
Forcible taking of property by a government law enforcement official
Using electronic device (skimmer) to swipe victims’ credit/debit card numbers
Personal information in "snail mail" exposed to unintended third party
Exceeding intended privileges and accessing data not authorized to view
Stolen desktop (or unspecified computer type in media reports)
Documents either reported or known to have been stolen by a third party
14 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Name
Stolen Drive
Stolen Laptop
Stolen Media
Stolen Mobile
Stolen Tape
Unknown
Virus
Web
Description
Stolen data drive, unspecified if IDE, SCSI, thumb drive, etc
Stolen Laptop (generally specified as a laptop in media reports)
Media generally reported or known to have been stolen by a third party
Stolen mobile phone or device such as tablets, etc
Stolen backup tapes
Unknown or unreported breach type
Exposure to personal information via virus or Trojan (possibly classified as hack)
Web-based intrusion, data exposed to the public via search engines, public pages
Risk Based Security, Inc. was established to support organizations with the technology to
turn security data into a competitive advantage. Using interactive dashboards and search
analytics, RBS offers a first of its kind risk identification and security management tool. RBS
further complements the data analytics and vulnerability intelligence with risk-focused
consulting services, to address industry specific information security and compliance
challenges including ISO/IEC 27001:22005 consulting. http://www.riskbasedsecurity.com
The Open Security Foundation runs the DataLossDB research project aimed at
documenting known and reported data breach incidents world-wide as well as OSVDB
project that provides accurate, detailed, current, and unbiased technical information on
security vulnerabilities. http://datalossdb.org/ http://osvdb.org/
http://osvdb.org/
http://www.opensecurityfoundation.org
NO WARRANTY.
Risk Based Security, Inc. and the Open Security Foundation make this report available on an “As-is” basis and offer no warranty as
to its accuracy, completeness or that it includes all the latest data breach incidents. The information contained in this report is
general in nature and should not be used to address specific security issues. Opinions and conclusions presented reflect judgment at
the time of publication and are subject to change without notice. Any use of the information contained in this report is solely at the
risk of the user. Risk Based Security, Inc. and the Open Security Foundation assume no responsibility for errors, omissions, or
damages resulting from the use of or reliance on the information herein. If you have specific security concerns please contact Risk
Based security, Inc. for more detailed data loss analysis and security consulting services.
15 | Data Breach Intelligence
Copyright © 2014 Risk Based Security, Inc. All rights reserved.
Related documents
Community Service Reflective Essay
Community Service Reflective Essay
CS-6 Using Technology and Techno-people to Improve your
CS-6 Using Technology and Techno-people to Improve your
What is a brand?
What is a brand?
Just Culture Safety Survey
Just Culture Safety Survey
Real Problem Description - INST-6870
Real Problem Description - INST-6870
Title of Assignment:
Title of Assignment:
7.1 Safety Records and Statistics Policy
7.1 Safety Records and Statistics Policy
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Volunteering Bank Health & Safety Questionnaire
Volunteering Bank Health & Safety Questionnaire
Download