Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM

Breach Data Shows Attackers Switched Gears in 2020

Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

The number of data breaches declined by half last year — to less than 4,000 events — yet the number of leaked records more than doubled, as did the number of breaches that included a ransomware component, according to an annual analysis of breach events by Risk Based Security.

The diverging trends suggests that attackers are focusing more on ransomware, which is often not reported as a data breach if information is not exfiltrated. In addition, more than 80% of the at-risk records came from five events caused by misconfigured databases, suggesting that consolidation in the cloud may have led to more severe, if less frequent, data breaches.

Related Content:

First the Good News: Number of Breaches Down 51% Year Over Year

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Overall, the way attackers are monetizing system compromises has changed, says Inga Goddijn, executive vice president at RBS. 

"The attackers really seem to be moving away from going after credit card data and other personally identifiable data and going straight for the extortion schemes to monetize their access," she says, "while the bigger record count is really being driven by somebody's entire database sitting out there open, accessible, and readable to any passer by."

Overall, publicly reported data breaches shrank by 48% to 3,932 events in 2020, according to the "2020 Year End Report Data Breach QuickView" report. Yet more than 37 billion "records" were exposed, a 141% increase over 2019, mainly due to five breaches. Those breaches each exposed more than a billion records, while another 18 breaches exposed between 100 million and a billion records. 

While the data shows two different facets of trends in breaches, the actual level of activity probably has not changed much, says Goddijn. 

"I think the level of activity out there is the same, but the number of breaches that came to light was different in 2020," she says. "The landscape has changed quite a bit, but there is not a reduction of risk by a long shot."

Ransomware continues to be a problem, however. The number of breaches that included ransomware doubled to 676, Risk Based Security states in the report. 

The rising trend matches data from other security firms. Ransomware made up half of all cybersecurity incidents in 2020 and 81% of all financially motivated attacks, according to a report from the incident response team at CrowdStrike. The average ransom has exceeded $1.4 million, twice the cost of the cost of recovery, according to a report from Sophos.

With increasingly frequency, ransomware operators are stealing data as well, causing a rise in companies unable to determine the specific types of data taken. 

"Due in large part to the 'smash and grab' data theft that accompanied many of the exfiltration plus encryption extortion schemes, attackers have shown it’s not necessary to steal personal data in order to generate a successful payday," RBS states in the report. "Exfiltrating sensitive internal files is enough — in some cases — to create sufficient pressure for organizations to pay the extortion demand in the hopes of preventing wide-spread release of the data."

Other measures show the changes to the mix of breaches. The average severity score for breaches increased to 5.7 by the end of 2020, up from 4.8 at the beginning of the year. Because the scale of the severity score is logarithmic, the increase of nearly a point indicates a 10x increase in severity, the report states. The severity of a breach includes the volume of records exposed and the type of data in each record.

Almost half of all breaches leaked an individual's name, a third leaked an e-mail address, and more than a quarter leaked a Social Security number, according to the report. Only 25% of breaches included passwords, down from more than half in 2019.

The report also highlights the problems in determining the impact of breaches. 

On one hand, companies that suffer a ransomware attack should be considered breached, even if there is no evidence of data exfiltration, says Goddijn. Yet, as the leak of large databases with billions of records show, the record count does not necessarily equate to the number of individuals impacted, she says.

"The record count is showing its issues [as a metric] because it's not always a good indication of the severity of the breach," Goddijn says. "So this new data introduces some interesting questions about what the record count means."

Overall, more than three-quarters of breaches were caused by an external actor, RBS states. Of the internally caused breaches, two-thirds were accidental.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.