Risk Based Security released their 2020 year-end data breach report this past week, and despite an overall decline in breach events (security incidents), the number of breached records grew dramatically.

Other trends included a doubling of ransomware attacks from 2019 to 2020, and data breach severity rising.

Here are some of the highlights from the report:

“There were 3,932 publicly reported breach events at the time of this report; a 48% decline compared to 2019. As the year matures, and 2020 breaches continue to be disclosed into 2021, it is typical for the number of reported breaches to grow by 5% to 10%. In 'normal' times that would place 2020 on par with 2015 and 2016 breach years.

  • Despite 1,923 breaches (49%) without a confirmed number of records exposed, the total number of records compromised in 2020 exceeded 37 billion, a 141% increase compared to 2019 and by far the most records exposed in a single year since we have been reporting on data breach activity.
  • There were 676 breaches that included ransomware as an element of the attack, a 100% increase compared to 2019.
  • Breach severity, as measured by severity score, steadily increased throughout the year, reaching an average of 5.71 in Q4 compared to 4.75 in Q1. Severity score is a base 10 logarithmic scale, meaning that the severity of breach events increased by a factor of 10 over the course of the year.
  • Five breaches each exposed one billion or more records and another 18 breaches exposed between 100 million and 1 billion records.
  • Healthcare was the most victimized sector this year, accounting for 12.3% of reported breaches.”

For more overall data breach numbers, including multi-year trends, I recommend visiting the Identity Theft Resource Center, which also contains an abundance of helpful resources and cumulative data breach totals since 2005.  

The Identity Theft Resource Center’s total currently ends at May 2020, and their numbers are 11,762 breaches with 1,664,977,418 records exposed. Note that all of these different data breach metrics sources don’t have matching numbers, and I described some of the reasons why, along with solutions, in this piece.

Deeper Dive Into Ransomware

Another new report from Atlas VPN found that ransomware made up a whopping 81 percent of all financially motivated cyberattacks in 2020. The average cost of a breach caused by ransomware in 2020 was $4.44 million.

"In total, 63% of cyberattacks last year were financially motivated. Out of the 63% of the financially motivated assaults, 81% were ransomware attacks.

"In 2020, an average malicious attack cost victims $4.27 million per assault, while ransomware attacks cost 4% more — $4.44 million per breach.

"One of the most significant ransomware attacks in 2020 was the Garmin breach; the company reportedly lost $10 million to its hackers. Up next is CWT Global, which paid $4.5 million to cybercriminals. The third spot is occupied by Travelex, which experienced damages of $2.3 million due to a ransomware attack."

Varonis Hacking Statistics Worth Noting

I really liked this additional new report from Varonis that lists statistics and facts regarding industry trends and where things are heading in 2021. Here are a few that I’d like to highlight:  

  • The average cost of a data breach is $3.86 million as of 2020. (IBM)
  • The average time to identify a breach in 2020 was 207 days. (IBM)
  • The average life cycle of a breach was 280 days from identification to containment. (IBM)
  • Personal data was involved in 58 percent of breaches in 2020. (Verizon)
  • Security breaches have increased by 11 percent since 2018 and 67 percent since 2014. (Accenture)
  • Sixty-four percent of Americans have never checked to see if they were affected by a data breach. (Varonis)
  • Fifty-six percent of Americans don’t know what steps to take in the event of a data breach. (Varonis)

SolarWinds Shapes Near-Term Future for Government

There are numerous stories surrounding the SolarWinds programs that were hacked to infiltrate at least 18,000 government and private networks. The New York Times wrote: “At a minimum it has set off alarms about the vulnerability of government and private sector networks in the United States to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly.”

A few weeks after the incident was announced, ZDNet proclaimed "the more we learn, the worse it looks":

“For decades, one of proprietary software's stupid assumptions is that 'security by obscurity' works. While it can help — no, really it can if used intelligently — that's not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. The almost weekly revelations of new Microsoft security holes and mishaps doesn't make me feel warm and fuzzy about the security of its software.”

This excellent webinar from SANS goes into detail on the SolarWinds hack and what you need to know:

So what is coming next for the new Biden administration and a coordinated response to these cyberchallenges? Books could (and will) be written on this topic, but this article from c4isrnet.com does a great job of laying that basic groundwork and approach focusing on better attribution and communication:

Sen. Jack Reed, D-R.I., who sits on both SASC and SSCI, called the breach 'the greatest cyber intrusion in the history, I think, perhaps, of the world' and said that the stove-piped nature of the U.S. national security apparatus needed to be addressed. Reed said one challenge for Haines will be developing a 'more coherent, cohesive, integrated approach' to dealing with cybersecurity threats, particularly from advanced nation-state actors.

“Under questioning from senators, Haines said the SolarWinds supply chain hack was a 'grave threat,' and the government needs new to improve its defenses against such attacks, though she noted that she hasn’t received a classified briefing on the intrusion. In 2019, a report from ODNI warned of growing software supply chain hacks that provide an 'efficient way to bypass traditional defenses and compromise a large number of computers.'”

Final Thoughts

Both my 2020 year-end review and "Top 21 Security Predictions for 2021" offer much more on this ongoing data breach theme and dive into specific ways that the public and private sectors need to prepare for cyberthreats and upcoming security incidents in the new year.

All of the security industry vendors continue to predict many more impactful data breaches with the move to working from home, as well as more fallout from the SolarWinds breach and ongoing ransomware incidents across both government and the private sector. In fact, most experts believe that 2021 will continue the data breach trends begun in 2020 — and even the longer-term breach trends going back to 2005.

Government Technology is a sister site to Governing. Both are divisions of e.Republic. Governing's opinion columns reflect the views of their authors and not necessarily those of Governing editors or management.