Personal employee or customer data accounted for nearly half (45pc) of all data stolen between July 2021 and June 2022, while companies’ source code and proprietary information accounted for a further 6.7pc and 5.6pc respectively, according to a cyber firm’s survey. More positively, the research – More Lessons Learned from Analysing 100 Data Breaches – found that theft of credit card information and password details dropped by 64pc last year, compared to 2021.
Terry Ray, SVP and Field CTO at Imperva said: “It’s very encouraging to see such a decline in stolen credit card data and passwords. It suggests that more organizations are using basic security tactics such as Multi-factor Authentication (MFA), which makes it much harder for outside cyber attackers to gain the access required to breach data. However, in the long term, PII data is the most valuable to cybercriminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponized by hackers.”
As for causes of data breaches, social engineering (17pc) and unsecured databases (15pc) were two of the biggest culprits. Misconfigured applications were only responsible for 2pc of data breaches, but businesses should expect this figure to rise in the near future, the cyber firm warns, as the configuring for security of cloud-managed infrastructure takes some expertise. Ray added: “It’s really concerning that a third (32pc) of data breaches are down to unsecured databases and social engineering attacks, since they’re both straightforward to mitigate. A publicly open database dramatically increases the risk of a breach and, all too often, they are left like this not out of a failure of security practices but rather the total absence of any security posture at all.”
Besides misconfigured data cloud infrastructure (each is unique), the firm pointed to poor password policies, and not learning from past data breaches. See also the company’s blog; https://www.imperva.com/blog/.
