报告的数据泄露程度在2020年上半年有所下降

2019年，数据泄露猖獗，发生速度之快前所未有。不过，今年上半年，报案事件有所减少。报告是最重要的词。

根据网络安全公司NortonLifeLock的数据，在2019年前6个月，在3800次公开披露的违规事件中，超过40亿条记录被曝光。

公开报告的数据泄露是指州法律要求并由政府官员报告的事件；属于公共监管文件（如SEC文件）的一部分；在公司网站、社交媒体、新闻稿或违规通知信中列出的数据泄露，或在经认可的媒体出版物上发布，或由公认的网络安全研究人员或公司披露的信息，身份盗窃资源中心（ITRC）的首席运营官詹姆斯•E•李解释道。

该中心是一个非盈利组织，旨在支持身份盗窃受害者解决案件，教育公众，使其意识到身份盗窃和相关问题，如数据泄露、网络安全、诈骗、欺诈和隐私问题。

2019年的违规行为包括：

•银行控股公司Capital One，3月：1.06亿记录；

•社会规划网站Evite，8月：1亿条记录；以及

•美国医疗收集机构：超过2000万份记录被破坏，导致该公司申请破产。

在整个2019日历年度，总共有超过150亿条记录暴露在近7100个数据泄露中。

2020年违规行为减少

然而，今年公开报告的数据泄露数量有所下降。

Malwarebytes实验室主任Adam Kujawa告诉TechNewsWorld：“在这段时间里，我们看到许多通常会造成各种破坏的威胁行为体的活动减少。”。Malwarebytes实验室是反恶意软件公司Malwarebytes的情报部门。

ITRC说，1月至6月数据泄露的数量同比下降了33%。

在此期间，略多于1.63亿人受到违规行为的影响，比2019年1月至6月减少66%。

基于风险的安全部门表示，今年上半年公开报告的违规行为降至五年来的最低点，但仍显示总数为2037起。报告说，在这段时间里，有超过270亿条记录被曝光，比整个2019年曝光的记录多出120亿条。

那么什么给予？为什么数字上有这么大的差异？

ITRC的Lee告诉TechNewsWorld，方法上的差异。基于风险的安全包括来自美国境外的信息，而ITRC的数据仅基于美国境内的事件。

另外，作为一个为身份犯罪或身份泄露受害者提供免费服务的国家非营利组织，“我们的重点是受影响的人数，而不是暴露的记录数量，”李指出。

“在大规模数据泄露或暴露中，每个人都有多个记录，这意味着暴露的记录数量几乎总是比受影响的人数高一个数量级，”他说人与记录之间没有一一对应的关系。”

报告与现实的差距

无论采用何种方法，都很难全面了解数据泄露所带来的威胁，因为并非所有的漏洞都被计算在内。

ITRC和基于风险的安全性都只计算公开披露的数据库。

ITRC的Lee说：“可以肯定的是，实际发生的数据泄露总数与公开报道的数据有差距”。

此外，他指出，每个事件的报道较少，一些消息来源的报道也有所延误。”显然，披露的信息较少。”

李开复解释说，美国每个州“对什么是可报告的都有一个独特的定义”。在州和联邦两级都有各种各样的法规来管理安全或数据泄露何时可报告，因此“几乎不可能预测报告的事件与未报告或少报的数据泄露之间的差距有多大。”

Malwarebytes Labs的Kujawa建议说，有些组织可能会犹豫是否报告违规行为，因为他们担心这会损害他们的声誉或使他们成为未来攻击的目标。

Kujawa说，报告也可能会延迟，因为“我确信有数千家公司几个月来都没有意识到已经发生的违规事件。”。有时，新的公司客户在与恶意软件用户签约后，会对他们的网络进行大规模扫描，发现一些检测结果在发生后很快就会出现一个巨大的峰值，“因此，我们必须修改自己的统计数据，以删除这些异常值，否则我们就无法了解全部情况。”

Kujawa指出，由于流感大流行，人们开始在家工作，而且缺乏处理数据泄露的流程，这可能也减缓了数据泄露的报告速度。

网络罪犯变换策略

据ITRC的Lee称，报告延迟是公开报告的数据泄露数量减少的一个可能原因；另一个可能是网络犯罪分子现在集中精力利用以前泄露的数据，而不是外出获取更多数据。

Lee说：“导致失业欺诈的凭证填充攻击显著增加——据劳工部统计，高达260亿美元；数据驱动的网络钓鱼攻击，以及数据未被过滤的勒索软件攻击，表明今年以来消费与购买的比率有利于消费。”。

Malwarebytes发现，使用COVID-19作为包含商业恶意软件（如AveMaria和后门.NetwiredRC.

这些是远程访问特洛伊木马（RAT）程序，让黑客在未经授权的情况下访问受害者的PC，以监视用户行为、更改计算机设置、浏览和复制文件，并利用PC的互联网访问进行犯罪活动。AveMaria的目标是大型企业后门.NetwiredRC面向中小型企业。

其他网络钓鱼攻击隐藏在消息中，包括假银行提醒、包裹递送通知和易趣出价。

网络安全公司Agari今年7月报告称，俄罗斯一个被称为“宇宙山猫”的犯罪组织的目标是大型跨国组织的高级管理人员，主要是《财富》500强或全球2000强公司。

这些犯罪分子向目标受害者发送了一封来自他们公司CEO的伪造信件，指示他们与外部法律顾问合作，协调完成收购另一家公司所需的款项。然后，他们从一家英国公司的真实律师那里发出一封伪造的信，说明如何付款，这些钱被汇到宇宙山猫控制的骡子账户。

宇宙山猫要求平均支付约130万美元，相比之下，大多数其他商业电子邮件泄露（BEC）攻击者要求的5.5万美元

喘息还是模式？

最引人注目的网络钓鱼攻击之一是7月份的Twitter漏洞攻击，黑客获得了Twitter内部软件工具的访问权限，并接管了奥巴马总统、特斯拉首席执行官埃隆·马斯克、微软联合创始人比尔·盖茨、总统候选人、前副总裁乔·拜登的账户，以及苹果、彭博社的企业账户，还有Square的CashApp。

45名受害者的账户发出推文，宣传比特币诈骗，获得383笔交易，价值约11.7万美元。三人因与Twitter黑客攻击有关而被起诉，其中包括据称的“主谋”，他是佛罗里达州坦帕市的一名17岁少年。

ITRC的Lee指出，数据泄露统计数据的下降可能是暂时的在某个时候，数据窃贼会回到一个更传统的模式，”他预测道。

原文题：Reported Data Breaches Decline in H1 2020

原文：Data breaches were rampant in 2019, occurring at an unprecedented pace. However, the first half of this year has seen a reduction in the number of reported events. Reported being the operative word.

In the first six months of 2019, more than four billion records were exposed in 3,800 publicly disclosed breaches, according to cybersecurity firm NortonLifeLock.

A publicly reported data breach is one required by state law and reported by a government official; part of a public regulatory filing such as an SEC filing; listed on a company website, social media, news release or breach notice letter or published in an accredited media publication, or disclosed by a recognized cybersecurity researcher or firm, explained James E. Lee, Chief Operating Officer at the Identity Theft Resource Center (ITRC).

The Center is a non-profit organization established to support identity theft victims in resolving their cases and to educate the public and make it aware of identity theft and associated issues such as data breaches, cyber security, scams, fraud and privacy issues.

Breaches in 2019 included:

• Bank holding company Capital One, in March: 106 million records;
• Social-planning website Evite, in August: 100 million records; and
• American Medical Collection Agency: more than 20 million records breached, which led to the firm's filing for bankruptcy.

In all, more than 15 billion records were exposed in nearly 7,100 data breaches throughout calendar 2019.

Breaches Subside in 2020

This year however, the number of publicly reported data breaches has fallen.

"During this period, we saw less activity from many threat actors who would normally be making all kinds of havoc," Adam Kujawa, director of Malwarebytes Labs, told TechNewsWorld. Malwarebytes Labs is the intelligence arm of antimalware software firm Malwarebytes.

The ITRC says the number of data breaches between January and June fell by 33 percent year over year.

During that period, a little more than 163 million individuals were affected by breaches -- 66 percent less than in January to June 2019.

Risk Based Security says publicly reported breaches in the first half of this year fell to a five-year low, but still showed a total of 2,037. It said more than 27 billion records were exposed during that period -- 12 billion more than were exposed throughout the whole of 2019.

So what gives? Why this huge discrepancy in the numbers?

Differences in methodology, ITRC's Lee told TechNewsWorld. Risk Based Security includes information from outside the United States, while the ITRC's data is based only on events in the U.S.

Also, as a national non-profit that provides free services to victims of identity crimes or compromises, "our focus is on the number of people impacted, not the number of records exposed," Lee noted.

"In mass data breaches or exposures there are multiple records per person, which always means the number of records exposed will almost always be an order of magnitude higher than the number of people impacted," he said. "There is no one-to-one correlation between people and records."

The Reported vs. Reality Gap

Whatever methodology is used, getting the full picture of the threat from data breaches will be difficult because not all breaches are counted.

Both the ITRC and Risk Based Security count only publicly disclosed databases.

"It's safe to assume there's a gap" between the total number of data breaches that have actually occurred and what's publicly reported, ITRC's Lee said.

Further, there is less coverage per event, and delayed reporting from some sources, he pointed out. "Clearly, there is less information being disclosed."

Each state in the U.S. has "a unique definition of what is reportable," Lee explained. There's a variety of regulations at both the state and federal levels governing when a security or data breach is reportable, so "it's virtually impossible to project how large the gap is between reported events and unreported or under-reported data compromises."

Some organizations may hesitate to report breaches because they're afraid this will damage their reputation or make them a target for future attacks, Malwarebytes Labs' Kujawa suggested.

There may also be a delay in reporting because "I'm sure there are thousands of breaches that companies don't even realize have happened for a few months," said Kujawa. Sometimes new corporate customers run a massive scan on their network after signing up with Malwarebytes and find a huge spike in some detections well after they had occurred, "so we have to modify our own stats to remove these outliers or we aren't getting the whole story."

The move toward working from home as a result of the pandemic, and a lack of processes for dealing with a breach, may also have slowed the reporting of data breaches, Kujawa noted.

Cybercriminals Switch Tactics

Delays in reporting are one possible reason for the reduction in the number of data breaches publicly reported; another could be that cybercriminals are now focused on leveraging the data stolen in previous breaches rather than going out and getting some more, according to ITRC's Lee.

"The significant rise in credential stuffing attacks driving unemployment fraud -- as much as US$26 billion according to the Department of Labor; data-driven phishing attacks, and ransomware attacks where data is not exfiltrated demonstrate the consumption-to-acquisition ratio has favored consumption so far this year," Lee observed.

Malwarebytes found a surge in phishing emails using COVID-19 as a cover for malicious activity that contains commercial malware such as AveMaria and Backdoor.NetwiredRC.

These are Remote Access Trojans (RAT) programs that let a hacker gain unauthorized access to a victim's PC to monitor user behavior, change computer settings, browse and copy files and use the PC's Internet access for criminal activity. AveMaria targets large enterprises, while Backdoor.NetwiredRC is aimed at SMBs.

Other phishing attacks are hidden in messaging, including fake bank alerts, package delivery notifications, and eBay bids.

Cybersecurity firm Agari reported in July that a Russian criminal organization it calls "Cosmic Lynx" targets senior-level executives at large multinational organizations, mainly Fortune 500 or Global 2000 companies.

The criminals send targeted victims a faked letter from their company's CEO instructing them to work with external legal counsel to coordinate payments needed to close the acquisition of another company. Then they send a faked letter from a real lawyer at a UK-based firm giving instructions about how to make the payments, which are funneled to mule accounts that Cosmic Lynx controls.

Cosmic Lynx asks for an average payment of about $1.3 million compared to the $55,000 most other business email compromise (BEC) attackers demand

Respite or Pattern?

One of the most high-profile phishing attacks was the Twitter breach in July, where hackers gained access to Twitter's internal software tools and took over the accounts of President Obama, Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, and presidential candidate and former VP Joe Biden, as well as corporate accounts for Apple, Bloomberg, and Square's CashApp.

Tweets were sent from the accounts of 45 victims to promote a Bitcoin scam that garnered 383 transactions worth about $117,000. Three people have been charged in connection with the Twitter hack, including the alleged "mastermind" who is a 17-year-old in Tampa, Fla.

The dip in data breach statistics may be a temporary condition, ITRC's Lee noted. "At some point, data thieves will return to a more traditional pattern," he predicted.

作者：Richard Adhikari

原文网站：https://www.technewsworld.com/story/86832.html