Dissecting Data Breaches and Debunking the Myths

Much of the attention surrounding recent high-profile data breaches focuses on who’s affected and how they can recover. The stolen data, on the other hand, is treated as a lost cause. But there is so much more to learn from studying what was stolen. By following the data, we can get a picture of what attackers are looking for, how they use the data, how much it costs, and where it eventually ends up.

Trend Micro, who will be at the 2016 Tech Security Seminar, conducted probability studies to help us prove if what we know about data breaches have merit or are just mere myths.. The full-length reports originally appeared in Trend Micro’s security news.

Myth 1: Hacking and malware are the leading causes of data breaches

Although the news has been rife with stories of how certain malware or hacking groups were responsible for breaches, the truth is, most of them were actually caused by device loss. Overall, it accounts for 41% of all breaches compared to the 25% caused by hacking and malware. Companies may often overlook the kind of sensitive information stored on their employees’ laptops, mobile devices, and even thumb drives. If any of these devices get lost, stolen, and are left unprotected, they become an easy way to steal data.

This doesn’t mean, though, that hacking and malware are not serious. These kinds of threats should never be taken lightly. Compared to device loss or theft—which can be mitigated through remote device wipe, the use of virtual infrastructure, and enforcement of stricter policies—hacking and attacks using malware are more planned and deliberate. Highly customized defense solutions and strategies are required in these cases.

Myth 2: Attackers go for personally identifiable information (PII) to reap the most data

This is both true and false. Although PII is the most popular stolen record type, it doesn’t guarantee an attacker more access to his target information. It really depends on the situation and the attacker’s goal. If the aim is to get educational or health records, having a person’s PII will give the attacker a higher chance of accessing those bits of information. If attackers really want to gain access to the proverbial keys to the kingdom, they would go for credentials, more specifically, the credentials of a network administrator.

Myth 3: Using hacking or malware is the best way to steal all types of data

Looking at the probability, this one is actually true, only because these were the most popular methods attackers used this past decade. Hacking into a network—whether using brute force, social engineering, or malware—has the highest chance of returns. The second most preferred method is through insiders. These can be disgruntled employees who leak the data on their own volition.

Myth 4: The retail industry is the most affected by data breaches

Although retailers have suffered many losses because of data breaches, the most affected industry was actually the healthcare sector, accounting for more than a fourth of all breaches (26.9%) this past decade. The second was the education sector (16.8%) followed by government agencies (15.9%). Retailers only come in fourth place with 12.5%. Although its share is not as big as the healthcare industry’s, the effects of a breach for a high-profile retail giant can still be damaging in terms of reputation and revenue.

Myth 5: PII is the most in-demand underground commodity in terms of breached information

There’s actually a big surplus of PII currently available in the cybercriminal underground. This has caused its price to drop significantly, from US$4 last year to US$1 this year. The same goes for credit card numbers which are now sold in bulk, regardless of card brand. Interestingly, the selling of stolen Uber accounts is gaining popularity. They’re sold at around US$1.15 each.