Data Breach Statistics from 2018 and Predictions for 2019. How did our predictions from 2018 turn out and what you can do in 2019 to avoid a data breach.
Maury Haber, CEO of Beyond Trust said, “There are three jobs in this world where you can be completely wrong all of the time and still not worry about being fired. One is a parent, one is a weather forecaster, and the other is a technology trends forecaster.”
True? Yes; 80% of payment-card-related investigations we did last year were of e-commerce data breaches. Interestingly, this was almost the complete inversion of about 4 years ago, when around 80% of our payment-card-related investigations were for point-of-sale merchants.
Prediction: “Smaller merchant breaches will come under greater scrutiny.” This prediction stemmed from the industry’s change some years ago when the card brands softened their mandates to not overly burden small merchants with the high costs of a full forensic investigation. Prior to that change, virtually every merchant that was suspected of having a data breach was required to have a forensic investigation, but the high costs of the investigation coupled with the potential of fines from the card brands and credit card issuing banks forced some small merchant out of business.
DOWNLOAD: 2019 Data Breach Analysis Infographic
In response, the card brands established thresholds for card accounts at risk that needed to be exceeded before they would require a PCI forensic investigation. What resulted is that small merchant breaches sometimes do not make it on the radar and can linger, losing credit card account data for longer periods. In other cases, they might be advised that there is a suspected data breach, but they do not always self-investigate and remediate the problems as they should. The result is that some of the breaches of small merchants persist until a sufficient number of credit card accounts are stolen (a much larger problem than if it would have been addressed when it was first noticed) and so the pendulum may be heading back the other direction.
True? Yes; we seeing a trend of smaller merchants not self-remediating the way they should, so now card brands and acquiring banks are requiring more proof that the merchants performed a data breach investigation.
True? Not yet. I believe attacks against individuals are going to pick up steam. In 2018 we saw one significant case that started with the breach of a cell--that migrated to the spouse’s cell phone--then to the owner’s laptop--from there to his company, and resulted in the theft of employee W-2 information and the diversion of payments from patients to the attacker. While this case illustrates the problem I was predicting, we did not see the significant increase in cell-phone based attacks that we predicted.
True? Yes and no. Password cracking technology has continued to increase, and has reached the point where, in the hands of a capable hacker with ample resources, virtually no password is safe. But, for now, the required resources to crack exceptionally complex passwords are still too onerous for most hackers. Practices like multi-factor authentication (an authorization token, an emailed or texted code, biometric data, etc.) are helping to fortify password security. If you practice good password security tips and enable multi-factor authentication, passwords can still provide protection for your accounts.
Hackers might use stolen credit card data to make their own personal online purchases. They may also sell payment or personal information on the dark web for anywhere from $2 to $200 per record.
Interestingly, healthcare data is worth much more than credit card data. That’s because the personal information found in healthcare files can be used to create a social security card or to fake an entire identity.
In the ransomware realm, hackers might sell their methods, including steps and an easy-to-use blueprint–on top of the possibility of a monetary ransom.
Last year’s attacks were more targeted than ever.
Hackers are willing to do their homework and go after a specific organization because they know the added work will make the payday larger. We are seeing that attackers will perform social engineering attacks and study everything they can about a business so they can craft legitimate looking emails–with the hope of landing a bigger payday in the end.
In 2017 ransomware was the most prevalent attack–especially in the healthcare environment, where nearly 60% of attacks involved ransomware. In 2018, there was a 30% decrease in total ransomware attacks, moving it to the sixth most popular attack method. The fifth spot was taken by crypto mining, which has also fallen in popularity.
But even though the amount of ransomware attacks decreased, we did see that the individual attacks were more sophisticated. Successful attacks showed increased scrutiny in targeting their victims. The victims were most often healthcare organizations, followed by businesses, and then the public sector (city or state governments.) Attackers recognize that these types of entities can’t afford to be inoperable for very long and they have the ability to pay a high ransom in the short term.
Businesses like Allscripts, Labcorps, and Boeing were examples of successfully attacked entities last year. The cities of Atlanta and Baltimore also experienced ransomware attacks. The ransomware used in these cases was sophisticated and usually polymorphic (which means it changed slightly each time it was uploaded, in order to evade discovery). According to Sophos, 75% of organizations infected with ransomware were running up-to-date endpoint protection at the time.
Why does ransomware continue to hang on? Although many organizations are refusing to pay, some still pay sums reaching into the tens of thousands (and more). So, this is a trend not likely to go away anytime soon.
Service providers include point-of-sale (POS) terminal providers, payment application providers, credit card processors, and industry application vendors.
Successful attacks against service providers actually doubled from 2017 to 2018. These attacks are particularly dangerous because the potential impact reaches numerous other businesses. In one case, a credit card processor self-discovered a breach soon after it happened, but in the short time the service provider was breached, about 150 of their merchant clients were also breached.
In another case, an industry application vendor that provides a web interface for a specialized type of business that allowed customers to place orders suffered a breach that resulted in malware infection of over 450 separate merchants.
These are the types of specialized attacks that criminals are specifically targeting and willing to put extra time and effort into, because they know the payoff will be worth it.
We investigated an attack on a POS hardware and software provider. In this case, an employee’s credentials were stolen and the attacker then monitored the service provider’s systems for the remote access he needed to log in to the entire client database. As soon as the attacker was in, they downloaded malware to capture credit card information.
About 250 businesses in the service provider’s portfolio were affected. Luckily, most of these businesses were already using point-to-point encryption (P2PE) technology. Our tests validated that all of the merchants with P2PE solutions did not suffer any data loss. It was only the few without P2PE technology that lost customers’ credit card data.
This case emphasized the importance and value of using P2PE in an electronic payment environment.
Key points of failure:
Key points of failure:
Key points of failure:
Key points of failure:
Many times, your focus is understandably on compliance. You may be dealing with the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA). There are times when security and compliance can collide a bit, if your focus is too much on one or the other.
This concept was manifested in the investigation of a large merchant in the hospitality industry with 900+ locations. Because of their size, they were required to have an annual PCI compliance audit by a qualified QSA. When the QSA arrived, the merchant told them that, because they now had a P2PE solution, their scope was reduced to the solely the card data environment.
The QSA explained that while that was technically true, it’s not good to only assess the card data environment and ignore the surrounding corporate environment. But, the merchant was adamant that the QSA only audit the card data environment.
Later, the merchant suffered a ransomware breach via their corporate network. Their business operations were frozen. Even though they had backups in place, they had never tested to see how easily they could restore from the backups--which took three days. While no customer credit card data was stolen, the breach cost them hundreds of thousands of dollars in lost revenue
There seems to be an unending stream of breaches at healthcare organizations. Healthcare organizations often have legacy systems that aren’t regularly updated, which is not always their fault since they are often embedded systems and updating them isn’t easy. In some cases, if the healthcare IT department were to do so, it might cause problems with how a third party vendor could support them.
The critical nature of the services provided in the healthcare industry puts it in the sites of attackers.
Healthcare is an essential commodity, which makes it a valuable commodity in the criminal world.
With respect to ransomware, attackers bank on hospitals feeling that they’ll put lives at risk if they can’t access information, so they are more likely to pay the ransom.
There is also a high value to protected health information–hackers can sell or escalate this kind of personal information for high value.
In one case, someone posed as a service provider for a credit card point-of-sale terminal and called 28 franchise locations. He attempted to persuade onsite managers to inadvertently open a VPN for him so he could install malware.
In all, 20 of the 28 managers asked for further credentials. The bad news is that 8 did not.
Timely patching of vulnerabilities can reduce data breaches. We still investigate breaches caused by failure to patch vulnerabilities that were addressed over two years ago.
Follow best practices and/or your applicable mandate requirements regarding scans and penetration testing. Schedule vulnerability scans regularly and after significant network changes. Penetration tests should be performed yearly and after significant network changes.
The most important steps of log management are monitoring and review. In a recent investigation, a customer with more than 800 locations had been breached for more than 9 months and lost more than one million customer credit cards. As we investigated we saw that they had file integrity monitoring (FIM) and intrusion detection systems (IDS) that flagged the breach on the very first day it happened–but no one in their organization was watching.
If you have IDS or FIM, make sure that someone has the specific responsibility to review any generated alerts.
As mentioned earlier, the technology for breaking passwords has increased in sophistication exponentially. Currently, hackers are brute-forcing password hashes. Right now, there’s a highly technical (and very expensive) system in Sweden that can search billions of password hashes per second. The result is that it can potentially discover every possible combination of keyboard characters for any password, in a matter of hours.
Hackers may not be using this technology right now, but do your best to avoid the growing ability to crack passwords. Passwords should be complex, and a minimum of 10 characters long. They should contain disparate characters, letters and numbers (and I prefer a lot of, &_{+#^@\>?* characters) and should not have any words from any dictionary. You can visit haveibeenpwned.com/passwords to see if any of your passwords have been captured in a data breach and published.
All users need to have unique usernames and passwords, and access to sensitive data should be restricted to only those employees who need access to complete their jobs. Logins and passwords should not be shared.
Employees should not use remote access applications on insecure networks. Multi-factor authentication will help prevent hackers from gaining access.
Isolate networks with different security levels. Use multiple firewalls to create a safezone for your most sensitive data.
Make sure to encrypt your backups (not with same key as regular data), then test your backups to see if you can restore your system from them. You might find that it is not as simple as it sounds, so such a delay should be factored into your Incident Response Plan.
Train your employees on your Incident Response Plan, and hold mock-breach incident response tests often (at least annually). This is an opportunity to test your ability to respond to a breach while none of your critical assets are actually at risk. Following the tests, modify and re-train your personnel according to what you learned from the mock exercise.
*Vulnerable: A state in which a weakness in a system, environment, software, or website could be exploited by an attacker.
**Captured: The time that data is being recorded, gathered, or stored from an unauthorized source.
***Exfiltrated: The unauthorized transfer of data from a system.
.svg)
