By many measures, the trend of data breaches in 2013 has been effectively curbed, which is certainly good news for the security industry. Unlike the last four to five years, this year's record is no longer filled with the exodus of tens of millions of dollars of personally identifiable information from large database breaches. According to the Privacy Rights Clearinghouse, both the number of publicly reported breaches and the number of documented breaches are on the decline this year. At the same time last year, the number of documented breaches had reached about 2.78 million and the number of breach reports was 637. So far this year, the number of documented breaches is about 1.07 million and the number of vulnerability reports is 483. This is a testament to the progress that the security industry as a whole has seen in terms of compliance and security best practices - yet such a record is still far from the desired goal.
When comparing year-to-date numbers, we see a dramatic 61.7% decrease in the number of recorded breaches, while the number of reported breaches has only decreased by 24.2%. This shows that leaks are still occurring at a rapid rate - except that criminal activity and breaches are now spreading rather than being concentrated. Breaches are smaller in scope and, according to security insiders, the targets of such malicious activity are broader. Criminals are now stealing IP or other digital assets more often, and the resulting damage can be more severe than the customer records themselves - and it's also harder to quantify and doesn't provide the statistics necessary for headlines.
Drilling down into this year's breaches, it's clear that the security industry still has a lot of work to do, and the 2013 track record proves that valuable databases remain poorly protected and encrypted, apps continue to be vulnerable, and users continue to be able to download large amounts of information from sensitive databases and store it on unprotected endpoints. To help you better understand the current security situation, we have selected a few representative examples from which we hope you can draw lessons.
Company: CorporateCarOnline.com
Breach statistic: 850,000 records stolen
Incident details: As one of the nation's most recognizable companies specializing in sports, entertainment, and the Fortune 500, CorporateCarOnline.com has a lot of personal information about its users, Credit card numbers and other personally identifiable information, however, the development of a global luxury car rental SaaS database solution that stores all of this information in plain text ultimately puts it all in the hands of criminals. The list involves a number of big names, including Tom Hanks, Tom Daschle, and Donald Trump.
Lesson learned: The most important lesson is to recognize the reality that attackers can explode with terrifying technical energy in the face of highly valuable financial and social engineering information. According to KrebsOnSecurity.com, a quarter of the American Express cards that have been breached are high-limit or even unlimited-value cards, and this is the kind of personal information that corporate spies or tabloid journalists would like to mine for valuable conclusions. At the same time, the company manages its revenue and expense accounts with no regard for the security of the information, and has never attempted to implement even the most basic encryption measures.
Company: Adobe
Breach statistics: Approximately three million personally identifiable pieces of information, more than 150 million username/password combinations, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder, and other unspecified products were stolen.
Incident details: Since the initial breach, additional attacks have continued for more than a month, culminating in this major incident. It is now clear that Adobe is struggling to recover a large amount of its stolen login credential information - and, more surprisingly, even its product source code.
Lesson learned: The world-shattering attack on Adobe not only demonstrates the damage that can be done when an attacker establishes a foothold in an organization's network and seizes control of an entire set of business reserves, but it also teaches us to look at what kind of corporate ecosystems are being created in the security space before we consider bringing vendors into the software supply chain. As a result of this breach, the potential consequences are likely to be long in coming.
Company: U.S. Department of Energy
Breach statistic: Personally identifiable information was stolen from 53,000 former and current DOE employees
Incident details: Attackers targeted DOEInfo, which the agency built with ColdFusion, now-abandoned public-access system for the CFO's office. DOE officials said the breach was limited to personally identifiable information of internal employees.
Lessons learned: There are two major lessons to be learned from this. First, installing patches was, is, and always will be the most important security task. Second, organizations must minimize the attack surface by revisiting systems that interface with sensitive databases and ensuring that only essential sites are available to the public.
Company: Advocate Medical Group
Breach statistic: Four million patient records stolen
Incident details: The loss of four million patient records was caused simply by criminals stealing four company-owned computers from the office.
Lesson Learned: Data breaches in the healthcare industry have dominated the list of breaches disclosed in 2013, but this one was clearly particularly egregious. The theft of just one physical computing device culminated in the compromise of patient records from the 1990s to the present, exposing the company's failures across the board in all aspects of physical security, endpoint security, encryption, and data protection. It's important to emphasize that theft and loss of endpoint devices has been a common occurrence in the healthcare industry. Now these organizations may need to think quickly about how much information from a centralized database an endpoint device can actually download and save.