A Review Of Cyber Breaches In 2019 – Part II
Each year we review the cyber breaches as reported to the Nebraska Attorney General’s Office to identify trends and glean insight from the past year’s breaches. This article is the second of three in our review of the information as reported. In this second segment we will look at the types of companies targeted and type of information sought by hackers breaching a company’s systems.
Types of Companies Targeted
The types of companies targeted by hackers that suffered a data breach breaks down as follows:
The largest category of “General Business” is a catch-all for companies which do not fit neatly into one of the other categories. This category includes general retail merchants, online merchants, computer firms, construction and consulting firms, convenience stores, law firms, accounting firms, travel agencies, and more. The types of companies in this group span across all aspects of the economy. This graphic demonstrates as a key take-away that all industries can become victims of data breaches.
Next, breaking down the company category year-to-year, we see trends develop for each industry:
In looking at the overall trends for each industry we observe that almost every industry has suffered an increase each year over year in data breaches. The industry sectors with the greatest increases were in the religious and charity industry followed by the education industry.
Types of Information Obtained in a Data Breach
- The next area to examine is the type of information obtained in connection with a data breach. Nebraska statutes require the following information to be comprised in connection with a data breach: first name and last name, or first initial and last name, along with one of the following:
- Social security number;
- Motor vehicle operator’s license number or state identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
- Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
- Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
- A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.[1]
Thus, by the statutory definition we would expect to see names – either first and last name or first initial and last name – as one of the leading items reported by breach victims. And, as demonstrated in the below graph, that is the case:
In the plurality of breaches names are stolen along with other identifying information. The theft of personally identifiable information (“PII”) usually results in a hacker selling the PII on the dark web for money and the more information the more money. Names alone are not worth a lot of money on the dark web, but names with associated SSNs or DOBs or something other identifier that would enable identity theft, yield premium sale prices. The same is true of SSNs, where SSNs associated with a name sell for a premium over unassociated SSNs.
Additional Uses of Hacked Network
In assessing the motivations for a hacker’s infiltration into a network, interestingly, PII is not the only source of value that a hacker may extract from a network. During a presentation to a group of business owners, a member of the audience commented that their company’s computers and network did not have any information which would be of interest to a hacker. It is important to keep in mind that few network intrusions actually meet the statutory definition of a breach, but there are many reasons for hacking a network. Brian Krebs in his blog several years ago displayed a graphic which purported to show many reasons a hacker targets a network. The graphic is below: [2]
As can be seen in the graphic there are numerous reasons for hacking a company and obtaining access to its computers, many of which are not captured by the state breach notification statutes. Companies need to be aware that having a computer on the Internet is enough reason for a hacking group to target a computer. Hackers have no idea what is on a computer system before it hacked – they can only judge the value of a system once they obtained access. If the system does not contain PII they can still use the system or network for other hacks, spam, botnets, and more. These uses make the computer, not just potential PII on the computer or network, the target of the hack.
Next month we will review the types of breaches used by hackers in a cyber-breach.
[1] Nebraska Revised Statute 87-802
[2] https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/