Policy

Government and health care sectors had most breaches in 2018

Topping the data breach list last year was the government, including federal, state and local computer systems. Government breaches take, on average, 2.5 times longer to detect than in the private sector, a new report from Verizon found. (iStock)

Government computer systems — federal, state and local — suffered the most data breaches last year, driven most likely by foreign adversaries conducting espionage operations, according to Verizon’s latest annual report on cyberattacks.

In the private sector, health care, financial services and small-to-midsized accounting, tax and law firms suffered the largest number of breaches, according to the 12th edition of Verizon’s annual Data Breach Investigations Report, released last month.

Out of 23,399 cyberattack incidents in 2018 reported by federal, state and local governments, 330 were confirmed data breaches, Verizon said. Of those breaches, about two-thirds can be attributed to cyber espionage carried out by foreign governments, the report said.

Verizon estimates whether a breach is the result of foreign government espionage by examining details of the timeline of an attack, the nature of the attack and the words used by government agencies to describe the attack, said Bryan Sartin, executive director of global security services at Verizon.

“There’s a distinct science behind whether an attack was carried out for financial motives or to cause disruption,” Sartin said. “In public sector breaches we do see that the semantic footprint suggests an espionage type attack” in a majority of cases.

It’s likely that espionage-related data breaches in government entities are even larger than Verizon estimates because such breaches are not easily detected, Sartin said.

Data breaches in government entities take, on average, 2.5 times longer to detect than in the private sector, the report found.

That’s because unlike a financially motivated cyberattack, for example, where a third-party vendor or a bank account holder incurs a loss stemming from a breach and alerts a financial institution, a successful breach by a foreign adversary doesn’t trigger such an alert.

Even when such espionage-led breaches stemming from a spear-phishing attack, for example, are found, governments often focus on recovering and rebuilding their computer networks and tend to overlook the “holistic footprint” of who else in an agency might have fallen victim to the same phishing attack, Sartin said.

That delay allows an attacker to switch to other ways of entering computer systems and create new paths of attack, Sartin said.

A spear-phishing attack typically comes via an email that tries to get the opener of the email to reveal personal information or passwords.

To produce the report, Verizon examined 101,168 reported incidents by government and private entities during the period of Nov. 1, 2017 to Oct. 31, 2018. And because the number and types of companies contributing incident data varies from year to year, “we are not always researching the same fish in the same barrel,” the report said.

The report found 41,686 cyberattack incidents during the period that resulted in 2,013 confirmed breaches.

The health care sector suffered 466 incidents of cyberattacks and 304 instances of confirmed data breach, Verizon found.

A majority of those incidents and breaches stemmed from “internal actors” or health care employees misusing their user privileges to access databases they should not be accessing, Verizon said in its report.

“Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern” for this industry, Verizon said in the report.

Health care companies also are required by law to report all instances of a ransomware attack as a breach even if there’s no confirmed data loss, Verizon said.

That reporting requirement has led top executives and board members of health care companies to conduct tabletop cyber wargames to prepare plans for responding to a ransomware attack, which typically involves an attacker encrypting a victim’s data and demanding payment through bitcoin to unlock the information.

Though most healthcare companies say they don’t pay ransoms, Verizon encourages health care companies as part of their preparation to identify a trustworthy vendor to pay ransom using bitcoins, Sartin said.

Verizon has found that even when a ransom is paid, the attack is not entirely alleviated and data is fully recovered only in 50 percent of the cases, Sartin said.

In the financial services industry, physical attacks against ATM machines have been steadily declining since 2010, Verizon found.

There’s also an overall decline in payment-card breaches, likely driven by two factors, Sartin said.

The introduction of PINs and chips in U.S. debit cards — a model widely used in Europe for the past decade — in the last few years has led to a reduction in payment data breaches, Verizon found.

And the proliferation of dark websites where stolen card information is resold is likely contributing to a decline in card thefts because the business is becoming less lucrative, Sartin said.

Still, the financial industry suffered 927 cyberattack incidents and had 207 confirmed data breach incidents, according to the report.

Also part of a new trend is that as large, publicly traded corporations step up measures to safeguard their networks, attackers are turning to small and midsize firms as a way to get to the larger targets, Sartin said.

Out of the 634 data breach incidents identified according to the size of the victim organization, 271, or 42 percent, were small and medium organizations, Verizon found.

The attacks on small and medium entities that include accounting, tax and law firms are “alarming,” Sartin said.

The goal of the attackers in targeting such smaller professional services firms is likely to gain access to credentials or data that can then be used to attack the larger clients of those service providers, Sartin said.

“Tax and law firms may not have a large cache of data that can be resold, but there’s tax information, personal-level data, and other information that can be used to create a spear-phishing campaign,” Sartin said.

“It’s a good treasure trove and sets the stage for other attacks,” he said.

Get breaking news alerts and more from Roll Call on your iPhone.