Prime Factors Blog

A Year in Review: Breaches in 2016

Posted by Pete Flagella on Feb 16, 2017 10:00:00 AM

Find me on:

SecurityBreach.jpgIn just one year, hackers and outsiders gained access to billions of records across the world. This is an astonishing, record-breaking achievement that only a criminal could celebrate. The top 10 breaches of the year comprised the vast majority of these records, making certain leaks more destructive than others. The numbers of hacks and breaches exposing more than 10 million records appears to have jumped substantially from past years, which means that the stakes for better security are even higher for 2017. 

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

How Are Breaches Reported?

According to Risk Based Security (RBS), there were 4,149 breaches in 2016, and according to the Identity Theft Resource Center (ITRC), there were 1,093. Both parties are accounting for data leaks in all forms, but RBS used more aggressive methods of collecting aggregated data which may be why their numbers are higher. Despite their differences, both groups agree the quantity of information lost has gone up significantly this year.

However, that might not be the whole story. It's clear that everyone from government organizations to everyday companies aren't excited to tell the public they've been breached or hacked. The numbers that we're seeing may indicate that 2016 was the worst year in terms of breaches, or it may just be the worst reported year in terms of breaches.

Who Was Targeted?

The FBI and Department of Homeland Security famously lost about 30,000 records of employee data. The IRS lost control of the information of 700,000 citizens when they opened up a portal for taxpayers to check their history online. Yahoo probably comes to mind immediately if you're thinking of last year's most famous major breaches. They had not one, but two major admissions of fault in just a few months. While the actual breach took place in 2013, it does little to abate the public's fears. Around a billion passwords and answers to security questions had been in the hands of hackers for years before Yahoo let anyone know. Other notable names include the health care enterprise Centene, 21st Century Oncology, and Verizon.

The companies who were hit the hardest experienced hacks as opposed to web breaches. (Hacks indicate malicious activity by another party, whereas breaches may be accidental leaks or otherwise unintended disclosures.) According to the IRTC, hacking, skimming, and phishing accounted for more than half of the breaches, whereas accidents and errors accounted for a little less than 20%. More than 50% of these hacks leaked social security numbers, and 13% leaked financial or credit card information.

Motivations Beyond Money

The numbers reported include every technique a hacker might use, from ransomware to skimmers. For the most part, it was business that was targeted rather than governmental or medical organizations, making 2016 easily distinguishable from 2015 when health care data was lost in spades. Security experts say that breaches rise and fall with the rate of economic activity, and they stress that absolutely no one is immune to losing confidential information. As hacking software and devices become cheaper and the profits continue to rise, criminals are getting away with more theft than ever.

But it's not just money. The Office of Child Support Enforcement in Washington had a former employee steal hard drives that contained information for more than 5 million people. This information held social security numbers as well as demographic information. The US Department of Justice was threatened because of the relationship between the US and Israel, making hacks about political punishment as much as they are about money. So-called hacktivists can target individuals and organizations for social causes or just to create chaos. The threats may not be readily apparent to the outside world, but they're always present.

Staying Quiet

Different companies deal with their breaches in different ways. Many claim complete ignorance (e.g., Yahoo), but some seem unwilling or unable to understand the repercussions of leaked information. With LinkedIn's breach in 2012, they thought they had taken the necessary steps to fix the problem when it happened. But they would find there were more accounts that were affected 4 years later. These types of 'oops' apologies that come from major tech companies are alarming to the millions of people whose passwords were in possession of hackers for years before they found out. This is one of the reasons fines are increasing for companies who do allow information to slip into the hands of the wrong people.

More Proactive Measures

Prevention is an important part of keeping hackers at bay, but as 2016 has continued to show us, it's really not enough. Companies continue to lose information at every turn when they're only focused on malware or perimeter protections. Hackers are finding more and more that there is always a way into any company or institution via technology, and getting in doesn't have to take a lot of time or effort. By reducing their risks, companies send a strong message to hackers that they aren't going to make a quick buck. Implementing encryption or tokenization is a way to increase the amount of work a hacker will have to do, with no potential pay-off. These kinds of disincentives make it easier for them to move onto the next company.

Employee education also needs to be addressed, as even malicious hacks can often be traced back to unintentional mistakes. One police department in Texas lost years of evidence when an employee clicked on an email that looked like it was from someone in their department. Those who analyzed the data for this past year saw time and time again that naivety is a major problem. For those who deal with HIPAA, PHI, or PII, there's no reason to take any chances. Had the police department's information been encrypted, the thieves wouldn't have been able to demand ransom or gain access to any of the files. Cryptography saves companies time and time again from exorbitant fees and reputation-destroying announcements. It's the best way to thwart crime after the crime has taken place, where hackers gain nothing but strings of undecipherable characters.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption, data breach