What do Target, AOL, LivingSocial, Evernote, and Adobe have in common with one another? Answer: they were all victims of huge data breaches during 2013, part of a phenomenon that a new Symantec report calcuates has reached epidemic levels.
According to the firm's latest Internet Security Threat Report (ISTR), such 'mega' breaches are only the best-known victims from a spike nobody saw coming after a quiet 2012.
That last year was a record year for data breaches has been apparent for some time, but the scale of the rise revealed in the numbers is still extraordinary. It doesn’t seem to matter which measurement is used, what happened was bad, nay appalling, with the number of breaches hitting a record 258, a 62 percent rise over 2012.
This saw 552 million identities compromised, including 8 breach incidents that exceeded 10 million in each case. This compares with the previous high point for data breaches, 2011, which saw 208 breaches, equivalent to 232 million records.
The first uncomfortable fact is this: these are only the ones we know about. Almost all the names on the top ten list are US-based, which doesn’t mean they haven’t been happening everywhere else too.
The second uncomfortable fact is this: 552 million breached records means that excluding duplicates the criminal underworld now probably knows not just the email addresses of approaching half a billion people but in many cases their home addresses, names and perhaps even social security numbers. And this is only one year's total.
“One mega breach can be worth 50 smaller attacks. While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better,” said Symantec Security Response director, Kevin Haley.
“Nothing breeds success like success – especially if you’re a cybercriminal,” said Haley. “The potential for huge paydays means large-scale attacks are here to stay. Companies of all sizes need to re-examine, re-think and possibly re-architect their security posture.”
Arguably, Haley is wide of the mark on the idea that size necessarily equals significance. While the number and size of breaches is definitely worth paying attention to, even tiny breaches can cause huge potential trouble if the targets are valuable enough. Just ask the 10,000 women whose records were breached after contacting the UK’s British Pregnancy Advisory Service for abortion advice.
The hacker accused of that attack threatened to reveal these names and was only stopped from doing so after intervention by the police.
So why was 2013 so bad after a drop in breaches the year before? There is still no convincing explanation for that although Symantec believes that it was the end result of greater organisation and planning by cyber-criminals. The previous breach wave of 2011 was driven by the low-hanging fruit of poorly-secured databases; 2013 used far more organised techniques and intelligence to find the weak spots in enterprises that had tightened some of the easier ways in.
These ‘ways in’ turn out to include partners, associates and third-parties, many of whom have remote access rights to larger enterprises without themselves having good security. Symantec reckons that two of the most targeted professions include personal assistants and PR people, two groups seen as easy-to-penetrate stepping stones to more valuable targets.
Given the number of attacks on the media by groups such as the Syrian Electronic Army, one could also add journalists to that list even if those are motivated more by ideology than data. The figures for 2014 will be interesting. Was last year an anomaly or a marker for what is now inevitable?