New data from Risk Based Security shows that the number of records exposed remains high despite the number of publicly declared breaches levelling off.
US infosec firm Risk Based Security has announced its Mid-Year 2018 Data Breach QuickView report.
The report shows that 2,308 publicly announced data breaches occurred, with 2.6bn records exposed along the way.
The volume of data breaches is levelling off
While this is alarming, the actual volume of disclosed breaches appears to be levelling off, said Inga Goddijn, executive vice-president of Risk Based Security.
At the mid-point of 2017, there were 2,439 breaches and the number of exposed records is down from 6bn. The fact that exposed records remain “stubbornly high” is still a massive problem.
Phishing for usernames and passwords to then leverage for system access is a particularly popular attack method this year. GDPR also played a massive part in the spikes in the number of breaches disclosed to authorities across the EU.
Fraud comes out on top
Fraud is the breach type that exposes the most records – 47.5pc in total. The number of breaches attributed to hacking accounts for more than 50pc of disclosed breaches.
Goddijn said companies often struggle to keep pace. “There are a lot of moving parts to an effective information security programme, and certainly patch management is one of the trickier components to tackle.
“That said, tried and true social engineering techniques combined with the ability to take advantage of unpatched weaknesses are some of the most effective tools malicious actors can use. That means defending against activities like phishing and solid vulnerability management go hand in hand when it comes to stopping hackers.”
While hacking remains the leading cause of data loss, other issues can arise. These range from accidental exposure due to exposed S3 buckets, to misconfigured services and even improper email handling.
Goddijn said: “This type of data loss is easily prevented, and protecting against it is nearly entirely within the organisation’s control. It shouldn’t be overlooked in the quest to prevent external attacks.”
The business sector accounted for 40pc of reported breaches, followed by medical (8.3pc), government (8.2pc) and education (4.5pc). Nearly 40pc of breached organisations could not be definitively classified.