A total of 878.17 million data records were compromised worldwide in January 2021 alone, more than in the entire 12 months of 2017, setting 2021 on course to be a record-breaker in terms of breach volumes.
That is according to an analysis of thousands of published data breach details by researchers at Imperva in the compilation of a newly published report, Lessons learned from analysing 100 data breaches.
Imperva found that the number and severity of data breaches continues to grow at a startling rate. It revealed that 826.53 million records were compromised in 488 breaches in 2017, with an average number of 1.7 million records per breach. In 2018, 2.34 billion records were compromised in 577 breaches, a 14% increase in breaches and a 183% increase in volume of compromised data.
The year 2019 saw 956 recorded breaches, with the loss of 12.3 billion records, a 72% increase in breaches and a 426% increase in volume of compromised data, while the year 2020 saw 1,120 recorded breaches, with the loss of 20.21 billion records, a 17% increase in breaches and a 64% increase in volume of compromised data. There was a fairly strong correlation between the growth curves for total number of records lost and average number of records lost per breach.
Report author Ofir Shaty, Imperva security analyst technology lead, said it was clear from the trend over the past four-and-a-bit years that the trend was accelerating. “We can estimate that year-over-year we will see around three times more records stolen annually [in 2021],” he wrote.
Shaty predicted that this year will see about 1,500 breach incidents with a total of 40 billion compromised records and an average of 26 million compromised records per breach.
“The constant increase in data breaches is a result of multiple factors,” he wrote. “We are living in a digitalisation era in which more services are consumed on a daily basis with the majority of them online.
“More businesses are migrating to the cloud, which makes them more vulnerable if not done carefully. The increase in the amount of stolen data is the result of similar factors. The amount of data that is out there is enormous, and it is increasing every year.
“Information security adoption is slower than the adoption of digital services that make profit from the addiction to and consumption of the same online services. The increasing number of breaches every year is a result of this gap.”
Shaty added: “2020 was a year with a big impact on digitalisation, with many sectors making a very quick shift into digitalisation to make themselves available through the Covid pandemic. Such a fast, dramatic change is likely to have security implications.”
The report, published in part to coincide with the third anniversary of the introduction of the General Data Protection Regulation (GDPR) in Europe – which fell on Tuesday 25 May 2021 – also contains insight into the types of data compromised.
Imperva found that by far the most frequently stolen type of data was personally identifiable information (PII), which can include data such as full names, gender, age, location, health, religion and sexual orientation. This accounted for 75.9% of the stolen data identified. A further 14.9% was accounted for by password and credential data, and around 9.2% related to credit card information.
Shaty said the widespread loss of PII was a strong indicator that organisations were simply not putting enough effort into securing it – noting that a great deal of the losses occurred because PII is frequently swapped around between systems, people and suppliers. Credit card data appears to be the most “vigorously protected” but is clearly in high demand on the dark web, so is frequently targeted by cyber criminals.
Almost 50% of the breaches identified began in web applications, either through an SQL injection vulnerability or another type of vulnerability, such as remote code execution (RCE). Another big cause was data left publicly accessible, accounting for 15% of breaches – often through lack of care to securing cloud storage instances (ElasticSearch and AWS S3 were the most commonly exposed data sources). Phishing, while instrumental in many high-profile ransomware attacks, accounted for just 3.8% of initial breaches.
Imperva is currently rolling out a new data protection service, Imperva Data Privacy, designed to help organisations mitigates some of their GDPR risks by automating core processes and foundational tasks of data privacy compliance – such as data subject access requests (DSARs).
The service is built on its existing Sonar platform, which unifies monitoring of edge, apps, APIs and network security, “making transparency and accountability with privacy regulations easy”, said Imperva.