More than 12,500 vulnerabilities disclosed in first half of 2021: Risk Based Security

Of the vulnerabilities disclosed in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution while nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.

Risk Based Security has released two new reports covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the amount of vulnerabilities disclosed. 

The company's data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. 

The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020. 

Inga Goddijn, executive vice president at Risk Based Security said the methods used by attackers to monetize their efforts has diversified and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. 

"The amount of data compromised remains stubbornly high and with another sizable Q2 breach yet to be confirmed, it is possible that the number will climb over 19 billion in the near future," Goddijn said. 

The numbers are slightly misleading though, the report notes, because the breach of Forex trading service FBS Markets accounts for about 85% of the records exposed through June 30th. 

The researchers added that 352 data breaches involved a ransomware attack.

The number of email addresses leaked held steady at 40% of all breaches while passwords were leaked in 33% of breaches. Healthcare organizations led the way with the most breaches in 2021 so far at 238. Finance and insurance companies suffered 194 breaches while manufacturing saw 169 and educational institutions dealt with 138.  

The other report found from Risk Based Security's VulnDB(R) team aggregated 12,723 vulnerabilities that were disclosed during the first half of 2021. 

They found that for the first half of 2021, the number of vulnerabilities disclosed grew by 2.8% compared to 2020.

"Of the vulnerabilities disclosed during the first half of 2021, 32.1% do not have a CVE ID, and an additional 7%, while having a CVE ID assigned, are in RESERVED status which means that no actionable information about the vulnerability is yet available in CVE/NVD," the report added. 

"In the first half of 2021, Risk Based Security's VulnDB team aggregated an average of 80 new vulnerabilities per day. Risk Based Security also updated an average of 200 existing vulnerability entries per day as new solution information, references, and additional metadata became available."

Of the vulnerabilities disclosed so far in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution. Nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.

One issue spotlighted by the report is the trend of organizations failing to report breaches.

The COVID-19 pandemic shifted focus away from cybersecurity and there has now been a 24% decline in the number of publicly disclosed breaches when comparing data from the first half of 2020 to the first half of 2021. 

Despite the decline in disclosed breaches, the number of sensitive files exposed continues to grow. Between January 2021 and June 2021, more than 18 billion sensitive or confidential records were exposed, the second highest ever recorded by Risk Based Security. 

Of the data lost in breaches, 61% involved the exposure of names, 38% exposed social security numbers, 25% contained addresses and 22% had financial information. 

The reports also ranked the top ten products by vulnerability disclosures in Q2 of 2021. Debian Linux led the way with 628 followed by Fedora at 584, openSuSE Leap at 526 and 443 for Ubuntu. 

The top ten vendors by vulnerability disclosures in Q2 2021 included Microsoft at 627, SUSE at 590, Fedora at 584, IBM at 547 and both Oracle and Google above 500. Cisco, Canonical and Red Hat rounded out the list with more than 400 vulnerability disclosures in Q2 2021.