In 2014, approximately one billion records of personally identifiable information (PII) were leaked online, according to IBM X-Force.
IBM researchers say cyberattackers are more often applying creative ways and new approaches to fundamental attacks including DDoS and the use of malware in order to steal valuable information, ranging from sensitive data which can be used in identity theft to financial account details. As a result of the evolving threat landscape, 2013 saw a surge in leaked records, with approximately 800,000 stolen. However, there was a rise of 25 percent in leaked records, reaching a staggering one billion.
The majority of these records were stolen from US companies.
We saw a number of high-profile attacks taking place across the year. From JPMorgan to Target and Sony, companies have had to deal with the aftermath of cyberattacks which have resulted in the loss of customer and employee records, email and communications as well as financial data in some circumstances.
The use of digital weaponry is unlikely to slow down. Data has become a valuable commodity which can be sold individually or on the black market, and there are many black hat hackers who are happy to cash in -- or are taking on corporate networks to make a political point.
The company's quarterly report, published on Monday, claims that the use of "designer vulns" is also increasing. Going beyond CVE identifiers, designer vulnerabilities are taking tips from branded exploit kits including Sweet Orange and Blackhole, and are now being identified in memorable ways -- such as Heartbleed, Shellshock and FREAK.
IBM researchers found three distinctive themes which impact on the security landscape over 2014. A lack of care when distributing private content -- such as uploading personal or explicit photos on cloud services -- has resulted in stolen data due to weak passwords and lax policies on brute-force authentication. As an example, in late August last year, a number of celebrities' explicit photos -- uploaded to cloud services -- were leaked online due to poor password protection.
Another trend is the disclosure of critical vulnerabilities in the foundations of operating systems, open-source libraries and content management software, which has resulted in the exploitation of websites. One of the most recent cases concerning this trend was Lenovo's Superfish debacle. The Chinese PC maker bundled Superfish adware on products shipped between September 2014 and February 2015 -- and the software was able to intercept SSL and TLS website connections then use a third-party library to modify the Windows networking stack and install a new root Certificate Authority (CA), leaving the door open for exploit.
In addition, the security team says a lack of fundamental security knowledge and care is causing data breaches. End-user password use, failure to change default passwords and poor verification processes are all contributing to weak security.
The IBM X-Force team also catalogued 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014, including roughly 1,400 Android SSL problems -- an increase of 9.8 percent year-on-year and the highest single year total in 18 years of the report's history. The team has attributed the increase to the "unusual apathy mobile app developers seem to be displaying."