Folks, let’s continue our journey together on the Cyber Attack Statistics 2022 series. In Part 1, first we processed a comprehensive collection of worldwide cyber attacks between 2004 and 2022. Next, we studied the yearly trend and the industry breakdown of major cyber attacks and towards the end of the blog we discussed the breakdown of the Personally Identifiable Information (PII) and Protected Health Information (PHI) records. It was just the tip of the iceberg! This time, I’d like to bring to your attention some of the individual data breaches and address them as learning opportunities from past mistakes.
The original data set is openly accessible at Wikipedia. As a reminder, I have uploaded it to Gigasheet for quick analysis tools such as pivot tables, groups and sorting.
Gigasheet also allows sharing files publicly, so you can explore the processed data right here.
Gigasheet’s pivot table functionality makes it very convenient to organize large amounts of data. Here, I first grouped the data with respect to the entities and then sorted the grouped dataset by the amount of leaked PII and PHI data. The resulting doughnut pie chart below displays the Top 10 organizations with the largest sensitive data exposure from major cyber attacks.
Top 10 organizations with the largest PII and PHI data exposure
We already discussed in Part 1 the major data breaches that inconvenienced roughly 3.5 billion Yahoo! and 1 billion Facebook users worldwide. Some analysts argue these damaging cyber attacks initiated the downfall of Yahoo!. They claim these major data leaks significantly reduced the quality of user experience and incentivized Yahoo! users to switch over to relatively more secure emerging alternatives. Well said, this echoes with the idea that IT security is an investment.
In 2019; however, First American Financial Corporation, a real estate and mortgage financial services company, experienced a major cyber attack where sensitive and financial PII of 885 million customers including transaction records and mortgage deals was exposed. In addition to the reputation damage, the company agreed to pay the U.S. Securities and Exchange Commission a $488,000 fine for settlement. Forensic studies pointed to the Broken Access Control (BAC) vulnerability as the root cause of the attack. Listed as the #1 on OWASP Top 10 list, BAC is essentially a security vulnerability where malicious actors bypass access control checks by modifying the URL parameters or API requests.
Following Bugcrowd’s Vulnerability Rating Taxonomy, this specific vulnerability was further classified as the Insecure Direct Object Reference (IDOR) vulnerability, a subcategory of BAC. As simply illustrated by the following sketch, bad actors first interact with the web applications to identify the IDOR vulnerability and later send manipulated requests to gain unauthorized access to sensitive information.
A sketch of IDOR vulnerability
Gigasheet’s numeric aggregations and calculations feature displays descriptive statistics on the fly. The good news is that users do not need to learn any special formula syntax. Here is a great example, please take a look at the summary table below. As highlighted by the yellow box, the total user PII exposed from both Facebook and First American Corporation incidents are comparable (a little less than 1 billion PII for both cases). The major distinction is that while Facebook experienced 7 data breaches, First American Corporation had only 1 major breach with relatively more severe consequences. I’ve found Gigasheet’s on the fly data aggregations and calculations feature useful in comparing the grouped data here.
Summary of leaked PII
Let’s now change the gear and review the occurrences and the impacts of the Top 10 attack surfaces, please see the summary table below. Interestingly, these attack surfaces accounted for 71% of the total number of cyber attacks but only 50% of the total PII and PHI data breaches. This is partly due to the fact that other than the top 10 listed here, there were a couple of less commonly exploited attack surfaces such as the Broken Cryptography or Broken Authentication and Session Management. These attack surfaces could not make the top 10 list but they were documented to impact a large number of users/customers.
Top 10 attack surfaces
Also, it is worth mentioning that only around 1% of the total PII and PHI data was due to the Lost or Stolen Devices even though this attack vector accounted for roughly 11% of all incidents. This explains how effective the encryption techniques are against data leaks from Lost or Stolen devices. Last but not least, Automotive Security Misconfigurations enabled perpetrators to exploit API vulnerabilities. It was documented that unauthorized access to API accounted for 6% of the total PPI and PHI while only 3% of the data breaches were due to API related vulnerabilities.
The figures below display histograms of the Top 10 attack surfaces using the total number of incidents and exposed PII and PHI data, respectively. Not surprisingly, phishing is one the most popular scams used by malicious actors. Free donuts? Please click the link below, just kidding!
Histogram of attack surfaces showing the number of incidents
Histogram of attack surfaces showing breached PII and PHI data
In this Cyber Attack Statistics 2022 blog series, we first processed a dataset that has been compiled by Wikipedia communities from reliable resources and then looked at the big picture of cyber attack trends since 2004. In this blog, we looked at organization and attack vector specific data breaches statistics.
If you have not tried out Gigasheet yet, I highly encourage you to sign up today, download a copy of the dataset and put together all sorts of charts and graphs inside Gigasheet. Please remember it is Free Forever!