Small Businesses Become the Favorite Target of Cyber Criminals Looking for Identity Records

Like it or not, cybercriminals breach online services every day and steal personal information of millions of regular users like you. The data is later sold for a profit and/or abused it in a variety of different ways. If they know what the hackers are up to, website operators and security specialists can make informed decisions and take the necessary precautions to better protect users' data which is why companies like 4iQ have been monitoring the stolen databases that change hands online and have been sharing their findings with the rest of the world. In early March, they published their 2019 Identity Breach Report with which they showed us what they saw last year.

The raw data

Plenty of data is bobbing around on underground marketplaces and hacking forums, and inevitably, some of it is old, duplicate, or fake. According to 4iQ, saying how many databases and accounts cybercriminals share and trade isn't going to help anyone which is why they carefully analyze the information they find and sort out any data that's not relevant to their study.

In 2018, they went through tens of thousands of breach corpuses and realized that 12,449 of them come from real, new incidents. This means an average of 1,037 data breaches per month or 34 breaches every day.

The figures above should serve as food for thought for people who think that a data breach is a rare occurrence. 4iQ have some more stats for those who reckon that hacking incidents don't affect many users as well.

The researchers looked at a whopping 14.9 billion identity records and concluded that 3.6 billion of them are completely new and unique. 4iQ define an identity record as a record that contains one or more pieces of personally identifiable information. One exposed identity record doesn't necessarily equate to one exposed person, but even so, the figures are pretty interesting. Compare them to the ones from the previous year, however, and they become even more intriguing.

The trends

In 2017, 4iQ analyzed just over 3,500 breach corpuses and found out that around 2,940 of them are new and unique. During the same year, they ran through around 8.7 billion identity records and identified just over 3 billion of them as brand new.

In other words, in 2018, 4iQ confirmed four times as many new, legitimate data breaches as they did in 2017. At the same time, the number of newly exposed identity records is not that far from the previous year's results. So, what's going on exactly?

4iQ identified several trends while analyzing 2018's data. The first, perhaps rather surprising find is that cybercriminals are no longer following the "go big or go home" motto. In previous years, data breaches were mostly about popular online services where a single hit can expose the data of millions upon millions of individuals. The problem with these is that pulling off such an attack can be rather tricky. That's why, last year, the crooks preferred to focus on smaller online businesses who have, in 4iQ's own words, "little to no cybersecurity budgets". Overcoming the defenses of these enterprises is much easier and less time-consuming meaning that the crooks can carry out many more attacks in the same time span.

Perhaps not surprisingly, at just under 217 thousand records per breach, the average breach size is about 4.7 times smaller than the figures from 2017. Nevertheless, because there were so many attacks, the overall number of new exposed records is still about 20% higher than the previous year.

Going after smaller websites and services isn't the only thing the crooks did to make their lives easier. The use of automated crawlers that scan the internet for unprotected servers and database installations skyrocketed in 2018, and unfortunately, on many occasions, the crooks found what they were looking for. Exposing a whopping 63% of the records involved no hacking whatsoever. They were found in what 4iQ calls "open devices" – poorly configured servers and databases that hold tons of sensitive information without protecting it in any way.

As a result, the criminals had enough free time to assemble enormous data dumps of plaintext credentials (colloquially known as "combo lists") that can be pretty useful if you're trying to launch a large scale credential stuffing attack. Surprisingly or not, over the last few months, we saw quite a few incidents that reportedly involved credential stuffing.

For people who follow cybersecurity news on a daily basis, 4iQ's findings are hardly shocking. For those who are not actively interested in the field, however, they may be something of a wake-up call. Unfortunately, the sad truth is that our data is online, and it's not as well protected as it should be. There's not a whole lot you can do about it, but you should definitely keep it in mind.