10th Anniversary Look Back

While 2014 may not really seem that long ago, consider this: In 2014, Tom Brady was still the quarterback of the New England Patriots, with nine years to go until his retirement from the NFL. President Barack Obama was in the middle of his second term. An outbreak in West Africa had people worried about the Ebola virus, while COVID-19 was still five years in the future. And a certain New York real estate mogul was in his 14th season as host of a reality TV show called “The Apprentice.”

2014 was also the year that a comedy film called “The Interview” was released, in which two journalists, played by Seth Rogen and James Franco, were tasked with assassinating North Korea’s Kim Jong Un. This silly movie led to North Korea retaliating with a major cyberattack on Sony, which included the release of gossipy and embarrassing internal Sony emails. Other notable breaches that year were Target and The Home Depot.

But why this brief reminiscing about 2014? That same year encompassed the incidents and data collected for BakerHostetler’s inaugural edition of its Data Security Incident Response (DSIR) Report, first published in early 2015. As the 10^th Edition of the DSIR was just released, let’s roll the highlight reel and look at what has happened over the past decade.

How Do Breaches Happen? Let Me Count the Ways.

The ways in which data breaches can occur are almost endless, and we’ve seen them all in the more than 1,150 incidents we now handle each year.

Many incidents, unfortunately, start with employees. We’ve seen employees inadvertently disclose their credentials pursuant to phishing emails or download malicious attachments they thought were legitimate, allowing bad actors access to a company’s IT environment. We’ve seen malicious employees take data when leaving for their new job. Then there’s the IT guy who took a bunch of data just to show everyone that he was right about the company’s lax security. Some employees have spied on their coworkers and stolen their identities. And hospital workers have snooped in electronic health records to learn more about the celebrity undergoing plastic surgery there.

Maybe a “white knight” hacker uncovers a security hole in a company’s network and, just to be nice, lets the company know that they can show the company how to fix it for, ahem, just a small gratuity.

Of course, there’s the vendor who hooks up a laptop to an organization’s network but hasn’t patched it in months – malware disaster ensues. Or that great new software the company just rolled out has a security hole that someone forgot to patch. And, oops, that update the organization just did on its HR database ended up exposing it to the entire Internet (and is found by a random person through a search engine).

We’ve also seen files left behind in abandoned offices when companies have moved. And boxes of records that a new cleaning crew mistakenly left all weekend next to the dumpster in the parking lot. Also, 1 TB hard drives have been deemed lost after “everywhere was searched,” only to suddenly be found, months later, and after regulators had already been alerted of the incident by the media.

From Laptops to Ransomware

The classic golden oldie breach was typically caused by a lost or stolen laptop or anything small and mobile that could store data – like a USB stick. We saw laptops left behind in cars, on planes, and at bars, hotels and house parties. In fact, in the first few years of the DSIR Report, lost/stolen devices and records were a significant percentage of the incidents we handled – generally between 20 and 30 percent. From 2019 onward, we saw a steep decline in such events – below 10 percent. And by 2021 this category had declined to 6 percent, and, finally, it was down to 2 percent as of the DSIR’s 10th Edition.

Why the improvement in this category? One word – encryption. Our clients got the message, whether from us, regulators, or class action lawyers (or all of the above): If you didn’t have encryption in place on all your mobile devices, you were in big trouble if a breach happened due to a lost/stolen unencrypted device.

But we still remind our clients, if you have one unencrypted device, whether via “shadow IT” or a newly issued device not yet fully configured, that is the device that will be stolen from the backseat of a car – count on it.

A-Phishing (and Maybe Smishing) We Will Go

Phishing remains a significant component of data breaches. Over the past several years, phishing was still the root cause behind anywhere from 20 to 25 percent of breaches.

But phishing attacks are evolving. Years ago, unauthorized access to email accounts was used to obtain W-2s from an organization by false pretenses, or to simply rummage through thousands of emails to see what might be available to monetize, whether Social Security numbers, bank accounts or health information.

Over time, phishing attacks evolved into dropping ransomware or roaming the network (often using single sign-on capability) to access available data and set up wire transfer fraud. We still consistently see tens of millions of dollars in fraudulent wire transfers each year, including over $35 million in 2023.

Additionally, we are now seeing more sophisticated social engineering, including calls to the help desk by bad actors pretending to be employees in order to reset passwords, establish a new cellphone number (to bypass multifactor authentication (MFA)) or otherwise trick the help desk into providing enough information to obtain access to a user account and change direct deposit information. Typically, these actors already possess some pieces of personal information that make them appear legitimate, such as the last four digits of a Social Security number and/or a birth date, which is enough to fool the help desk. And it is likely that this information was obtained by the actor in some other data breach or from publicly available sources.

Further evolution includes what is referred to as “quishing” and “smishing.” Quishing involves emails containing a QR code that sends the user to a malicious website. Smishing uses text messages that, similar to phishing emails, try to fool the user into thinking they need to respond and provide their information, such as requests that appear to be from a package delivery service or a financial institution.

To help prevent phishing incidents and fraudulent wire transfers, we cannot emphasize this enough: use MFA for remote access to online accounts. Although not a panacea, as bad actors can still sometimes find a workaround to MFA, it has become, like encryption on mobile devices, a standard best security practice that regulators expect. Also, training employees on phishing continues to be vitally important. We further recommend having policies and procedures in place for safely and securely approving changes to wire transfer information, ACH payments, and changes to direct deposit information.

A King’s Ransom

Ryuk, Sodinokibi, Akira, Blackcat, Conti, Lockbit, Karakurt, Hive, CLOP … the list of ransomware variants and threat actor groups seems endless and ever-growing. Looking back over the past 10 years, it is almost surprising that ransomware wasn’t even a major topic of discussion until the 2017 DSIR Report. At that time, it represented just 10 percent of the incidents we handled. Since then, we’ve seen a huge uptick in ransomware attacks, which have essentially continued unabated (with a slight pandemic dip) to the present. Now, about 30 percent of all incidents we handle involve ransomware.

And virtually every ransomware incident now involves exfiltration of data – hundreds of gigabytes, if not terabytes, is common. This makes current ransomware events more complex, with the double-edged extortion threat of data publication along with locked up and inaccessible files.

For various reasons, some companies do end up paying a ransom. Since we first started tracking ransomware events, payments have generally increased significantly. In 2018, we saw an average ransom payment of $28,920. By 2020, that number had jumped to $794,620. This was a staggering increase of over 2,500 percent. There was a slight dip over the next couple of years (perhaps pandemic related), but the amount is now back up to more than $740,000 on average. That trend will likely continue.

There is some good news though. Over 60 percent of the time, in the incidents we’ve handled, companies have been able to restore from backups without paying a ransom. But if you can’t restore, watch out! For matters we handled in 2023, the largest ransom paid was over $10 million – almost double the largest ransom payment in 2021, which was $5.5 million.

In addition, the data we’ve collected does show some improving results in the category of restoration time after encryption. In the incidents we’ve handled, it used to take companies, on average, about two weeks to restore after an encryption event. But we’ve detected a downward trend on this data point. This is significant, because each day that servers are not functioning is one more day of lost revenue. Now, the average time to restore has dropped to less than 10 days. This is likely due to a number of factors, including faster containment, more robust and efficient backups, as well as the resources we can help bring to bear in assisting companies hit by ransomware.

***

We can only imagine what the data breach landscape will look like in 2034.

[View source.]