Follow the Data: Dissecting Data Breaches and Debunking the Myths

September 22, 2015

These past 10 years have given us some of US history's most high-profile data breaches. There was the AOL incident in 2005, where an insider leaked sensitive data. The Sony (2011) and Target (2014) incidents exposed millions of customer records. And this year alone, we saw healthcare companies (Anthem), government agencies (OPM), and even online dating services (Ashley Madison) get hit with breaches of their own. The magnitude of stolen information is staggering, and the variety of which even more so.

Much of the attention surrounding these breaches has been focused on who's affected and how they can recover. The stolen data on the other hand is treated as a lost cause. But there is so much more to learn from studying what was stolen. By following the data, we can get a picture of what attackers are looking for, how they use the data, how much it costs, and where it eventually ends up.

Numaan Huq of the Trend Micro Forward-Looking Threat Research team analyzed a decade's worth of data breach information to gain insight into the odds at play when a company suffers a breach. His probability studies will allow companies to assess their current risk levels in order to come up with better strategies to defend their networks. They also help us prove if what we know about data breaches have merit or are just mere myths.

Myth # 1: Hacking and malware are the leading causes of data breaches.

Although the news has been rife with stories of how certain malware or hacking groups were responsible for breaches, the truth is, most of them were actually caused by device loss. Overall, it accounts for 41% of all breaches compared to the 25% caused by hacking and malware. Companies may often overlook the kind of sensitive information stored on their employees' laptops, mobile devices, and even thumb drives. If any of these devices get lost, stolen, and are left unprotected, they become an easy way to steal data.

This doesn't mean, though, that hacking and malware are not serious. These kinds of threats should never be taken lightly. Compared to device loss or theft—which can be mitigated through remote device wipe, the use of virtual infrastructure, and enforcement of stricter policies—hacking and attacks using malware are more planned and deliberate. Highly customized defense solutions and strategies are required in these cases.

Hover over the icons to see what methods caused the most number of breaches from January 2005- April 2015
Probability of using different breach methods

Myth # 2: Attackers go for personally identifiable information (PII) to reap the most data.

This is both true and false. Although PII is the most popular stolen record type, it doesn't guarantee an attacker more access to his target information. It really depends on the situation and the attacker's goal. If the aim is to get educational or health records, having a person's PII will give the attacker a higher chance of accessing those bits of information. If attackers really want to gain access to the proverbial keys to the kingdom, they would go for credentials, more specifically, the credentials of a network administrator.

Click on a stolen record type to see the odds of other record types getting compromised.
0
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Financial
19.74%
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Others
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Health
22.27%
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
PII
50.42%
Sorry, your browser does not support inline SVG.
Education
4.62%
Payment card
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Sorry, your browser does not support inline SVG.
Credentials
7.56%


Reload
Conditional probability of Record_Type_Y also getting stolen if Record_Type_X is

Myth # 3: Using hacking or malware is the best way to steal all types of data.

Looking at the probability, this one is actually true, only because these were the most popular methods attackers used this past decade. Hacking into a network—whether using brute force, social engineering, or malware—has the highest chance of returns. The second most preferred method is through insiders. These can be disgruntled employees who leak the data on their own volition.

0
Click on any of the icons to see what kinds of record types can be stolen using the different breach methods.
  • Phishing
  • Phishing
  • Vulnerability
  • Server
  • Database
  • Hacker
  • Server
  • Credit card
  • Debit card
Hacking or malware
  • Fraudulent purchases
  • Retailer
  • Restaurant
  • Skimming device
  • Credit card
  • Debit card
Payment card fraud
  • Posted
    online
  • Records exposed
  • Contractor
  • Accident or mistake
  • Third-party vendor
Unintended disclosure
  • Fraud tax claims
  • Identity theft
  • Records stolen
  • Records misused
  • Records sold
  • Dishonest employee
Insider leak
  • Portable devices
    • Hard drive
    • Encrypted
    • Flash drive
    • Unencryp-
      ted
  • Physical records
    • Improper disposal
    • Hospital or clinic
  • Devices
    • Equipment
    • Computer
Loss or theft
  • Unauthorized access
Unknown
Sorry, your browser does not support inline SVG.
PII
Financial
Health
Payment card
Credentials
Education
Others
Unknown


Reload
Commonly observed data breach scenarios

Myth # 4: The retail industry is the most affected by data breaches.

Although retailers have suffered many losses because of data breaches, the most affected industry was actually the healthcare sector, accounting for more than a fourth of all breaches (26.9%) this past decade. The second was the education sector (16.8%) followed by government agencies (15.9%). Retailers only come in fourth place with 12.5%. Although its share is not as big as the healthcare industry's, the effects of a breach for a high-profile retail giant can still be damaging in terms of reputation and revenue.

Industries affected by data breach

Myth # 5: PII is the most in-demand underground commodity in terms of breached information.

There's actually a big surplus of PII currently available in the cybercriminal underground. This has caused its price to drop significantly, from US$4 last year to US$1 this year. The same goes for credit card numbers which are now sold in bulk, regardless of card brand. Interestingly, the selling of stolen Uber accounts is gaining popularity. They're sold at around US$1.15 each.

1/20
NEXT
PREVIOUS

  • Mobile phone accounts for sale
  • Miscellaneous accounts for sale
  • PayPal accounts for sale
  • Bank and poker accounts for sale
  • Credentials for sale
  • Uber accounts for sale
  • PayPal and eBay accounts for sale
  • UK and US bank log-in credentials for sale
  • Bank log-in credentials with balance information for sale
  • Credit cards for sale
  • Site to search for and purchase credit cards
  • US credit cards for sale
  • International credit cards for sale
  • International credit card dumps for sale
  • Social Security numbers and dates of birth for sale
  • US-based PII for sale
  • Social Security numbers for sale with owners' full names, locations, and dates of birth
  • Credit reports for sale
  • Ad selling PII
  • Scanned documents for sale

For a more detailed look at the end-to-end journey of stolen data, check out our research paper Follow the Data: Dissecting Data Breaches and Debunking the Myths [PDF]. There, you'll see more of the research, analysis, and insights that support the findings listed here. Also flip through its companion piece, Follow the Data: Analyzing Breaches by Industry, where you'll see a breakdown of stolen data and breach methods associated with each sector.

The data set used in this research was from the Privacy Rights Clearinghouse (PRC), a non-profit corporation based in California. PRC's mission is to engage, educate, and empower individuals to protect their privacy. They do this by raising consumers' awareness of how technology affects personal privacy, and they empower consumers to take actions to control their personal information by providing practical tips on privacy protection. PRC responds to privacy-related complaints from consumers and where appropriate intercedes on the consumer's behalf/or refers them to the proper organizations for further assistance. PRC documents consumers' complaints & questions about privacy in reports and makes them available to policy makers, industry representatives, consumer advocates, media, etc. PRC advocates consumers' privacy rights in local, state, and federal public policy proceedings.

DOWNLOAD FULL REPORTS



Data breaches are a real risk for enterprises. Enterprises should deploy solutions like Trend Micro™ Custom Defense, which can detect, analyze and respond to advanced malware and other attack techniques which can be used by attackers in data breaches. Solutions like Trend Micro Deep Security, on the other hand, can protect data server applications and content to prevent business disruptions, while helping meet regulatory compliance, whether you are using physical, virtual, cloud or mixed-platform environments.

Integrated Data Loss Prevention in Trend Micro products can identify, track and secure all confidential data from multiple points within the organization to avoid the occurrence of unintended disclosures and the repercussions of lost devices. Endpoint Encryption ensures data privacy by encrypting data stored on endpoints—including PCs, Macs, DVDs, and USB drives.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.