​Leaked records up 566 percent to 4 billion in 2016: IBM Security

A report from Big Blue's security arm has found that the number of records compromised grew by 566 percent in 2016 to more than 4 billion.
Written by Asha Barbaschow, Contributor

In 2016, more than 4 billion records were leaked worldwide, exceeding the combined total from the two previous years, according to a report from IBM Security.

In its IBM X-Force Threat Intelligence Index 2017, Big Blue explained the leaked documents comprised the usual credit cards, passwords, and personal health information, but also noted a shift in cybercriminal strategies, finding a number of significant breaches were related to unstructured data such as email archives, business documents, intellectual property, and source code.

"Cybercriminals continued to innovate in 2016 as we saw techniques like ransomware move from a nuisance to an epidemic," said Caleb Barlow, vice president of Threat Intelligence, IBM Security.

"While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment. The value of structured data to cybercriminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetise it this year in new ways."

In compiling its report, IBM observed more than 8,000 monitored security clients in 100 countries, and extracted data from non-customer assets such as spam sensors and honeynets.

Additionally, IBM X-Force runs network traps around the world and monitors more than 8 million spam and phishing attacks daily, while also analysing more than 37 billion web pages and images, it said.

IBM explained that in 2015, healthcare was the most attacked industry, with financial services falling to third. However, attackers in 2016 refocused back on the financial sector, which was the industry most targeted by cyber attacks last year.

The healthcare industry continued to be beleaguered by a high number of incidents, IBM said, although attackers focused on smaller targets resulting in a lower number of leaked records. In 2016, only 12 million records were compromised in healthcare, compared with nearly 100 million in 2015.

Information and communication services companies experienced the highest number of incidents and records breached in 2016, with 3.4 billion records leaked and 85 breaches.

Governments were also targeted, with 398 million records leaked and 39 breach incidents.

Partially to blame for the 566 percent year-on-year increase in leaked information was former search engine giant Yahoo, which was responsible for leaking more than 1.5 billion records alone.

Yahoo began warning some customers in mid-February that state-sponsored attackers had accessed their accounts by using the sophisticated cookie forging attack.

Yahoo disclosed the details of its first hack in September last year, pointing towards a state-sponsored actor nearly two years after the breach allegedly took place.

Approximately 500 million user accounts were affected by what was then the largest known data breach in history. Yahoo said at the time that while passwords and other information were stolen, payment and bank information remained safe.

A second breach was then revealed in December, with more than 1 billion accounts believed to have been stolen back in August 2013, a year prior to the previously disclosed attack.

In a statement, Yahoo said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers.

IBM X-Force documented more than 10,000 software vulnerabilities in 2016 which it said was the highest single-year number in IBM X-Force's 20-year history.

In addition, IBM noted that spam remained the primary tool in the attackers toolbox, noting a fourfold increase in the volume of spam over the previous year.

44 percent of spam contained malicious attachments, while ransomware accounted for 85 percent of all malicious spam, the report showed.

Editorial standards