On March 5, identity intelligence company 4iQ announced the release of its report on identity-breach trends in 2018, titled “The Changing Landscape of Identities in the Wild: The Long Tail of Small Breaches.” The report, which drew on large amounts of breached and leaked data found from open sources in the surface, deep, and dark web, saw “a significant shift from attacks on not just large companies, but increasing attacks on a greater number of small businesses – the long tail – as hackers targeted unsophisticated and unsecured small businesses and supply chain vendors .”
4iQ’s specific findings about identity-breach trends included the following:
- There were 12,449 new and authentic breaches and leaks in 2018, reflecting a 424 percent increase from 2017. That total translates to 1,037 breach every month, or 34 breaches every day.
- The average breach size in 2018, however, was 216,884 records, 4.7 times smaller than in 2017. 4iQ interpreted these results to indicate that hackers were both more willing and able “to attack larger numbers of smaller targets.”
- 9 billion raw identity records circulated across the web – a 71 percent increase from the 8.7 billion raw identity records circulating in 2017. After 4iQ curated (i.e., analyzed, normalized, and cleansed) the raw data, it found approximately 3.6 billion records that were real and new – a 20 percent increase from 2017’s total of 3 billion curated identity records. 4iQ characterized 2018 as “a record year for breaches caused by open devices, with a much larger number of accidental exposures than exposures due to hacking.”
- “Government Agencies” had the largest growth as an exposed industry in 2018, increasing 291 percent from 2017. On this point, 4iQ specifically noted that “[f]or the first time we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio.” It also observed that numerous 2018 data dumps from the United States, China, and Russia exposed citizen data and voter records as well as financial and customer databases.
- The top five exposed industries included forums and referral sites (27.5 percent), government agencies (12.2 percent), gaming and gambling (11.8 percent), e-commerce (11.7 percent), and education and academia (9.2 percent).
- “The circulation and repackaging of username and password databases into “Combo Lists” has seen a sharp increase in 2018.” One Combo List form May 2018 that 4iQ reviewed contained 98 gigabytes of data; another Combo List from January 2019 contained 1 terabyte of data including 1.82 billion credentials.
- North America was the continent with the greatest percentage of curated breaches (37.2 percent), followed by Asia (34.5 percent), Europe (17.8 percent), South America (9.9 percent), Oceania (4.2 percent), and Africa (0.18 percent). 4iQ “saw breach exposure growth in China, Russia, Vietnam, Japan, and Brazil” since 2017.
- Examples of data for sale included a file with 21 million identities from Peruvian citizens that could be used to make fake identity cards, tax data, passport images, and health and auto insurance cards.
Note: In cybersecurity, it is easy for cybersecurity experts and compliance officers, in conceptualizing data-breach risks, to fall back on the availability heuristic and define the problem in terms of data breaches associated with leading brands, such as Marriott Starwood, Cathay Pacific, and Facebook in 2018. The 4iQ report is instructive in demonstrating that while companies and agencies of all sizes and in all sectors should be concerned about the overall growth of identity breaches in 2018, small- and medium-size enterprises should take particular note of the increased likelihood that they can be targeted for data breaches and take action to bolster their cyber defenses accordingly.