Dispelling data breach myths

security firm Trend Micro Inc. explored 10 years’ worth of data breach information in the U.S. and dissected via Bayesian to model it to find hidden trends—and what they found might surprise you.

We hear about on a daily basis, but don’t tend to ever find out what happens to information once it’s stolen. Following the data can provide a look into what attackers are after, strategies they use data they steal, how much they can sell it for, and where it’s really going.

Most organizations—no matter their size have experienced at least one breach.

The top five most frequently targeted and breached sectors from 2005-2015 included healthcare (Anthem), education, (Office of Personnel Management), retail, and financial — accounting for 81.3 percent of all disclosed breaches.

The one that stands out as most obviously affecting the U.S. military and defense industry is the Office of Personnel Management’s (OPM) breaches of its personnel database and background investigation database. Attackers were able to steal numbers, some fingerprints, residency and educational histories, employment histories, information about immediate family and other personal and business acquaintances, health records, as well as criminal and financial histories, of 21.5 million Americans. Clearly, this was a devastating breach with consequences that will be felt for years.

So how are attackers breaking into networks? The most common attack vectors involve , insider threats, , and unintended disclosure, according to a report, Follow the Data: Dissecting Data Breaches and Dunking Myths by Trend Micro (Irving/Las Colinas, Texas; www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-follow-the-data.pdf).

But attacks aren’t even necessary if someone loses a device. Somewhat surprisingly, mobile devices gone missing are behind 41 percent of all breaches, because companies “often overlook the kinds of sensitive information stored on their employees’ laptops, mobile devices, and even thumb drives. If any of these devices get lost, stolen, or are left unprotected, they become an easy way to steal data,” the researchers note in the report.

Hacking and malware, which we hear about more often because they’re much more interesting, were responsible for 25 percent of the breaches, the researchers found.

And the most frequently compromised data? It involves , health records, , education data, payment cards, and credentials.

Data most coveted by attackers? Not surprisingly, personally identifiable information (such as names, addresses, social security numbers, dates of birth, phone and email addresses) is the top targeted record type because it provides attackers with easy access to other personal information and educational details. Another key target, though, is network administrators and their credentials because they have access to networks.

Where is all of this stolen information going? It’s flooding the cybercriminal underground, a.k.a. Deep Web marketplaces, where there’s a painful surplus of personally identifiable information and credit card numbers. The researchers say this means that your personally identifiable information that was selling for $4 a year ago and enables identity fraud is now going for…$1.

All organizations that “process or store sensitive information are a potential target,” says Numaan Huq, senior threat researcher for Trend Micro. “By providing a better understanding of the nature of these attacks and how data is used throughout the process, organizations and individuals can better protect themselves and be prepared to respond effectively if and when a breach occurs.”

The healthcare sector wins for suffering the worst losses. More than a fourth of all breaches were within the healthcare sector (26.9 percent), according to Trend Micro, followed by the education sector (16.8 percent), government agencies (15.9 percent), and retailers (12.5 percent).

Theft of healthcare data often involves both personally identifiable information and financial data, which makes it an attractive and “lucrative target for criminals,” the report notes.

“The initial data loss is only a small part of the broader cybersecurity nightmare,” says Raimund Genes, chief technology officer for Trend Micro. “With data breaches becoming a daily occurrence, our forward-looking threat researchers (FTR) closely analyzed the entire lifecycle of the stolen data to provide businesses and individuals alike with defensive practices to reduce their likelihood of becoming a victim. While it’s crucial to build public awareness of the risks and repercussions of compromised data, it’s incumbent upon policymakers to intervene and create effective solutions to mitigate threats.”

The report points out that it’s time for U.S. to have “a strong legal framework in place to protect data breach victims and affected individuals. U.S.-based companies are frequent victims of data breaches, yet there are no federal standards in place that provide a uniform set of rules governing notification procedures. Instead, 47 U.S. States, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands each enacted their own legislations, requiring private or government entities to send out notifications of security breaches.” Having a federal standard, they add, would simplify this process.