"Broken Record" Contributes To Record Number of Breaches

November 29, 2018|Jason Wittick

data records stolen-1Almost every day, a fresh batch of attack incident and breach reports detailing the latest victims of hacking, fraud, incompetence, espionage and apathy seem to dominate tech news.

The total number of attacks and accumulate volume of affected data is staggering, and 2018 has been no exception.

 

So far, this year’s round of scammers have been the most prolific, making 2018 an especially bad year for breaches. In late July, accumulate compromised record totals were estimated around 4.5 billion. Only seven months into 2018 and the running tally had nearly doubled the 2.5 billion annual total for all of 2017. By October, that tally had surpassed 5.7 billion records without slowing down.

Below is a summary and comparison of a few larger breach examples from the last couple years:

2017 2018
Xbox and PSP
2,500,000 records
JANUARY AADHAAR
1,100,000,000 records
Bin Weevils
20,000,000 records
FEBRUARY Swisscomm
800,000 records
NHS
26,000,000 records
MARCH Facebook
87,000,000 records
Mossack Fonseca
11,500,000 records
APRIL Panera Bread
37,000,000 records
Edmodo
77,000,000 records
MAY Under Armour
150,000,000 records
Deep Root Analytics
198,000,000 records
JUNE Exactis
340,000,000 records
Kansas Dept of Commerce
5,500,000 records
JULY TimeHop
21,000,000 records
'Onliner' spambot
711,000,000 records
AUGUST T-Mobile
2,000,000 records
Equifax
145,500,000 records
SEPTEMBER Facebook
90,000,000 records
South Africa (Jigsaw Holdings)
80,000,000 records
OCTOBER Apollo
200,000,000 records
Uber drivers
57,000,000 records
NOVEMBER USPS
60,000,000 records
Ai.type
31,000,000 records
DECEMBER TBD
 

It may seem like attackers have been working around the clock to innovate and invent novel methods and tools to help them keep their advantage and realize such unprecedented success … but that’s simply, and somewhat confusingly not the case. Not many ‘new’ means for accessing and stealing data have been devised (or discovered) in recent years, and many believe that’s at least partially because hackers and scammers don’t really seem to need them.

As the total number of attacks and compromised record counts steadily increase, users are and will continue to be the same human beings, with the same predictable vulnerabilities that have been taken advantage of and exploited for years. Rather than waste time and effort developing something new, most perpetrators can just keep using greater and greater volumes of the same old tricks and tools to successfully predict, leverage, or manipulate enough human users to make it worth their while.

The largest and most damaging breaches are not happening at under-prepared small to midsize businesses, but at much larger firms and organizations with substantial funds and resources invested in their data security posture. Even so, it’s almost comical that outdated “We’re safe … they can’t get us” attitudes persist in spite of the billions of records being stolen annually, and the trillions of dollars (not including fines, penalties, and lost revenue) that continue being spent in trying to avoid or defend against attack.

We’ve all heard the broken-record before: “no-one is safe, and the question is not IF you will be breached, but WHEN you will be breached - assuming, of course, it hasn’t happened already.” For skilled attackers, traditional security is more of a nuisance than a barrier, and it’s become abundantly clear that until they encounter something they haven’t seen before, it makes no difference how much money is spent, how much effort is put out, or how sincere and passionate that effort may be.

The hackers and scammers already know how to defeat outdated and old-fashioned perimeter-focused tools, and neither can do anything to stop the onslaught of breaches, so if the standard, sub-standard approach is no longer working … perhaps it’s time to try something new.

What if, once they were inside a network or resource the attackers had nothing to steal? Created to achieve exactly that goal, DataStealth is a fresh tool in the ongoing battle against data-thieves. After deployment, DataStealth appliances affect data such that only authorized users and use cases can make any sense of it. Period.

If the perimeter defenses surrounding a DataStealth-protected resource are breached, any stolen “information” would be useless, worthless, and computationally infeasible for anyone else to decipher or understand. Like breaking-into a bank vault that’s either empty or full of concrete, DataStealth goes far beyond mere encryption to nullify inadequate security measures and ensure that assailants and thieves simply can not steal something that is not there.

DataStealth inspects network traffic, identifies candidate data according to predefined protection policies, extracts said data in real-time, and replaces it with a ‘smart’ placeholder value. The real information can be injected back into a data stream later, but only for authorized users and for authorized use cases.

The DataStealth solution combines privacy, regulatory, compliance and other standards or requirements, with a suite of tokenization, de-identification, and encryption options. Data protection policies are flexible, easily configurable, and apply to any and all data passing-through a DataStealth appliance.

Tell Me More