Symantec threat report shows private data of 550 million people exposed due to security breaches last year

Tuesday 08 April 2014 16.14
Symantec says the number of data breaches increased by two thirds last year
Symantec says the number of data breaches increased by two thirds last year

The identities and private data held on computer systems relating to more than half a billion people were exposed due to security breaches last year according to a report published by Symantec.

The internet security company's Threat Report for 2013 estimates the number of data breaches increased by two thirds last year.

The research also found a 91% rise in the number of campaigns where organisations or individuals were specifically targeted by hackers. 

The threat report cites a sixfold surge in cases of ransomware - where a criminal purporting to be a law enforcement agent locks a user's computer with the aid of a virus, and then demands a fine be paid to have it unlocked.

Symantec also began seeing cases where criminals simply encrypted the computer and all its files without the pretense of being a law enforcement agent, and demanded a ransom. The ransom demanded typically involved payment of between €100 and €400. 

The targeting of mobile phones with viruses actually fell last year. But Symantec says this is more an indication that hackers are focusing on improving existing malware rather than building new viruses. The targeting of social media remains a significant problem, however, where hackers try to dupe users of social media to hand over their usernames and passwords. 

The study also found a significant increase in the number of large data breaches last year, with eight incidents recorded where more than 10 million records were compromised. The company noticed a marked increase in large breaches towards the end of the year. 

A third of the data breaches were perpetrated by hackers, with just under a third the result of records being acidentally being made public. The theft or loss of a device was the reason for data being lost in 27% of cases. Although almost half of all data breaches took place in the healthcare sector, breaches in the retail sector led to a third of all the identities that were exposed being compromised.

The research also found that the number of hacking campaigns using email grew significantly last year, as did their durations. But in a sign that the campaigns are becoming more targeted, the number of emails sent during each campaign and the number of people who received them fell.

Public administration bodies were the most commonly targeted organisations, followed by professional and non-traditional services. In a sign of a shift from the previous year, the number of medium sized businesses targeted grew substantially. Personal assistants and those working in the media and public relations are typically most targeted by such "spear phishing" attacks.

Last year also a significant rise in the number of so-called "zero day vulnerabilities" - holes in software which are exploited before they are known about and patched. Analysts at Symantec found that one in every eight websites they scanned had vulnerabilities. Symantec says that with so many vulnerabilities on existing legitimate websites, there is no need for hackers to set up their own websites specifically to host viruses. The company says that during last year it saw a 23% increase in the number of website attacks each day, with 568,700 assaults launched daily.

Despite recent reports that an internet connected fridge had been hacked and used to send out spam, Symantec says hacking of connected machines or "the Internet of Things" is still limited. It says attacks against internet connected televisions, cars and medical equipment have been demonstrated to be feasible, but actual attacks have so far been limited. 

The data used in the report was gathered from telemetry embedded in Symantec's products, analysis of viruses and malicious emails, the use of digital honeypots to attract hackers and other private sources. Much of the analysis that forms the basis of the report was carried out at Symantec's Blanchardstown based Security Response Centre.