>
Personal and employee data is a gold mine for hackers, who are now apparently more focused on getting this type of data than any other, new research finds.
A report from Imperva that analyzes 100 data breach reports published in the past 12 months says personal employee and customer data accounted for nearly half (45%) of all data stolen last year.
Cybercriminals are focused on personally identifiable information, Imperva claims, because that data can be used in identity theft (opens in new tab) and similar phase-two attacks. These, says Imperva SVP, Terry Ray, can be “hugely profitable and very hard to avoid.”
Social engineering and unsecured databases
“Credit cards and passwords can be changed once there is a breach, but when PII is stolen it can take years to be weaponized by hackers,” added Ray.
While often making headlines, source code and proprietary data theft are not as popular, accounting for only 6.7% and 5.6% respectively. The good news is that companies have gotten much better at protecting payment and password data, as leaks of this type of data have fallen by 64% year-over-year.
Usually, data breaches are the result of social engineering (17%) attacks or attacks on unsecured databases (15%). Misconfigured applications accounted for about 2% of all data breaches, but companies expect this format to play a bigger role in the future, especially given the rise of cloud-managed infrastructure, whose security configuration requires significant expertise.
To Ray, these results are somewhat surprising, given that unsecured databases and social engineering attacks are “straightforward to combat”.
“A publicly open database dramatically increases the risk of a breach and all too often they are left that way, not because of a failing security practice, but rather because of the total absence of any security posture.”
Imperva says there are six most common mistakes leading to data breaches, including lack of multi-factor authentication (MFA), limited visibility across all data repositories, poor password policies, misconfigured data infrastructures, limited vulnerability protection, and failure to learn from the past errors.