There’s no year that goes by without hearing about a major cyberattack that wreaks havoc on society. Turning point events in cybersecurity have changed the way we approach online security today. It’s important for us to take a step back and look at the past security events, so we can see the bigger picture and better understand how they’ve shaped our (digital) lives.
Ransomware and data breaches were in the headlines very often throughout the last years, and the current state of cybersecurity doesn’t look brighter, as the attacks’ volume is expected to escalate in 2019.
With technology evolving at an exponential rate, there’s also been a rise in cybercrime and its global damages are projected to cost the world about $6 billion annually by 2021, up from $3 billion in 2015.
Cybersecurity is attracting more and more attention and the impact on companies and regular users worldwide is mostly reflected in its numbers.
With this in mind, let’s dive into some security stats and figures about cybersecurity over the past five years and discover:
- Ransomware attacks (2014-2019)
- More infosec events that made the cybersecurity industry more visible over the past years
- Data breaches happening between 2014 and 2019
- The cost of cybercrime: key statistics
Ransomware attacks (2014-2019)
Some of the most impactful ransomware attacks during this period which caused massive financial money loss and business disruption across the globe were:
2014 – One security event that marked this year was the presence of Zeus Gameover, one of the most dangerous pieces of financial and data stealing. It is estimated that about 1.2 million computers worldwide were infected until the takedown operation succeeded.
This year also saw an increase of the CryptoLocker ransomware variants, like Cryptowall, CryptoLocker V2, Cryptodefense and Zerolocker, which were focused on financial stealing activities.
2015 – TeslaCrypt was a notable ransomware variant which appeared in early 2015 and encrypted various file extensions associated with popular online games like Call of Duty, Minecraft, World of Warcraft. It spread via the Angler exploit kit and hackers behind its operation demanded victims to pay a specific ransom in Bitcoin.
2016 was mostly marked by the presence of two forms of ransomware, Locky, and Cerber. The virulent Locky was spread widely in millions of spam email campaigns sent across the globe.
After hitting hard the Hollywood Presbyterian Medical Centre in Los Angeles which paid $17,000 in Bitcoin to cybercriminals to get their files back, Locky also targeted sectors like education, retail, and manufacturing.
The ransomware epidemic in 2016 continued with Cerber ransomware-as-a-service to have a wide distribution by running around 161 active campaigns and infecting approximately 150,000 users globally. CheckPoint researchers found that attackers behind Cerber scored revenue of $2.3 million per year.
2017 – Without any doubt, the impact of Wannacry and NotPetya ransomware attacks made it be “the year of ransomware”. Cybercriminals behind WannaCry used the EternalBlue exploit, the hacking tools from the NSA, to spread malware and impact more than 300,000 Windows machines and over 200,000 victims. To unlock their encrypted files, victims were asked to pay between $300 and $600 in ransom.
The National Health Service (NHS) from the UK was hit hard by WannaCry because it was estimated approximately £19m of lost output and 19,000 appointments and operations to have been canceled (Department of Health and Social Care)
Weeks after the WannaCry outbreak, NotPetya strike on June 2017 and also propagated via the EternalBlue vulnerability to spread and hit large organizations around the world. The malware has significantly affected the shipping giant company Maersk which has lost between $250 million and $300 million.
FedEx, another large company reported an estimated amount of $300 million financial loss caused by the NotPetya ransomware.
NotPetya has cost organizations a total of $1.2 billion in revenue (Cybereason)
2018 – Last year, the Samsam ransomware’s malicious authors exploited vulnerabilities in Remote Desktop Protocols (RDP), web servers or FTP servers to gain access to victims’ computers and focused on targeted attacks.
The city of Atlanta was subject of this outbreak which spent $2.6 million to recover its services and data held hostage by cybercriminals who asked for $51.000.
The group behind Samsam was also linked to the cyberattack suffered by the Colorado Department of Transportation which saw its operation shut down and cost up to $1.5 million for recovery.
Samsam targeted organizations from different sectors, but healthcare was by far the most affected, accounting for 24 percent of attacks in 2018.
GandCrab was the most prevalent ransomware attack in the first months of 2018 and “continued to harm unprepared businesses”, according to the Secureworks State of Cybercrime Report 2018.
Security researchers estimated that in more than one year of operation, GandCrab impacted over 1.5 million victims worldwide and its authors have gained more than $2 billion from victims.
2019 – The first months of this year brought new ransomware victims. The Baltimore city government has fallen victim to ransomware in May and the attackers asked for 13 Bitcoins (about $76,280) to unlock their systems. One month later, the officials offered financial details about the damage: $10 million in recovery and forensic expenses, and approximately $8 million in revenue.
A Florida city was also hit by a ransomware attack and decided to pay the ransom of 65 Bitcoin (worth around $600,000) required by malicious hackers in exchange for encrypted data.
A major electricity supplier from Johannesburg was recently impacted by ransomware and saw their databases, apps, and networks encrypted, which led to IT systems being shut down.
More infosec events that made the cybersecurity industry more visible over the past years
Looking back to some significant infosec numbers and statistics that demonstrate how cybersecurity was in the spotlight for the past years, and how they impacted other industries as well:
- There will be a ransomware attack every 14 seconds by the end of 2019 and every 11 seconds by 2021 (Cybersecurity Ventures)
- It is estimated that the total damages of ransomware attacks have cost the world more than $8 billion in 2018 (Cybersecurity Ventures)
- Mobile ransomware attacks saw an increase in volume by 33% in 2018 (2019 Internet Security Threat Report by Symantec)
- Regarding the distribution method, 65% of the ransomware attacks were sent via email (ENISA Threat Landscape Report 2018)
- In 2015, ransomware victims paid over $24 million (across nearly 2.500 cases reported to the FBI’s Internet Complaint Center) to ransomware authors (Business Insider)
- In 2017, the FBI estimated that the number of ransom payments was almost reaching $1 billion annually (The US Department of Justice)
- The top industries hit by a ransomware attack (15% of them) were: education, IT/telecom, government, financial services, transport, healthcare. (ENISA Threat Landscape Report 2018)
- The banking malware, one of the most popular malware types, saw a significant rise of more than 50% percent in 2019, compared to 2018 (CheckPoint’s Cyber Attacks Trends: 2019 mid-year report)
- Cryptojacking attacks have declined in 2018, down by 52 percent from previous years. Ransomware also declined, down 20 percent overall, but they were up for 12 percent for enterprises( 2019 Internet Security Threat Report by Symantec)
- The financial impact of breaches on companies in the UK has reached a staggering annual cost of £4,180 in 2019, doubled than the 2017’s £2,450 (2019 UK Cybersecurity Breaches Survey)
Data breaches happening between 2014 and 2019
We can’t talk about data privacy and security without mentioning Edward Snowden, the whistleblower who leaked classified NSA documents in history, back in 2013, which contained details about the US government surveillance on US citizens.
Snowden’s main motivation behind this disclosure was tied to his strong belief in the power of a free Internet and a mission to educate people on how to secure their own privacy. Guided by these values, he also created an app called Haven, in collaboration with the Guardian Project and Freedom of the Press to increase awareness amongst regular users.
Snowden’s strong argument on the topic of privacy speaks to his beliefs:
Privacy is baked into our language, our core concepts of government and self in every way. It’s why we call it ‘private property.’ Without privacy you don’t have anything for yourself
The impact of the leaks following Snowden’s revelations in 2013 started a new chapter for digital privacy, which led to major changes during the following years. We will continue to feel their impact for a long time.
Nowadays, data breaches and leaks impact everyone, every day. They even rank as the fourth most important global risk, alongside natural disasters and climate change, as reported by the World Economic Forum.
They don’t affect users only which see their sensitive data exposed on the web, but also companies that can lose customers’ confidence and trust in the brand.
Let’s take a look back at the most relevant data breaches over the past 5 years and see how they’ve impacted both home users and companies around the world.
2014 was marked by a historic data breach in which the eBay company compromised 145 million users by exposing names, addresses, dates of birth and encrypted passwords. Shortly after this incident, the company reduced its annual revenue target by $200.
The same year, another two companies were hacked: JP Morgan Chase impacted approximately 76 million small businesses and households, a company that spends $250 million on security every year, according to the Sans Institute.
Home Depot had 56 million cards of users compromised in a breach which was estimated to cost approximately $62 million.
2015 offered us details about new data leaks in which Anthem, a health insurer from the US, fell was hit by hackers and exposed up to 80 million records of the US citizens. The company agreed to pay the US government a record $16 million HIPAA settlement.
In July 2015, the online cheating site, Ashley Madison, has been breached and the personal details of 37 million users, including the company’s sensitive internal data, were stolen. Securus Technologies, a phone maker company, exposed 70 million records of phone calls, plus links to recordings.
In 2016, Uber faced a data breach that affected about 57 million customers, including both riders and drivers. Instead of reporting the leak, the company has chosen to keep it quiet and pay $100,000 to hackers.
Another massive data breach was targeting the adult dating company Friend Finder Network, which saw more than 412 million accounts exposed online, and 39 million accounts were from AdultFriendFinder.com only.
In an official blog announcement, the social network Myspace revealed that it was the victim of a data breach which impacted close to 360 million accounts. The Myspace’s author breach was also behind the major hack suffered by LinkedIn, where 117 million Linkedin emails and passwords were exposed on the Dark web marketplace.
2017 has kept us alerted as well with new data breached being revealed. Without any doubt, the most known hack of this year was the one suffered by Equifax. The company exposed sensitive data information relating to 143 million American consumers and announced that the cost of this incident was evaluated at $1.4 billion, plus legal fees. The CEO’s apology video was ranked as number one on the list of worst apologies of 2017.
In July 2017, ZDNet reported that at least 14 million Verizon subscribers records (including phone numbers and account PINs) were leaked. In the same period, sensitive data about more than 198 million US voters were accidentally leaked on the Internet by the data analytics firm contracted by the Republican National Committee (RNC).
Deloitte has fallen victim of a hack that compromised a server containing emails of top 350 clients, including four US government departments, and the United Nation.
We will surely remember 2018 as the year of Facebook – not only because of the most complex Facebook – Cambridge Analytica political scandal – but also for its security breach initially affecting almost 50 million users’ data (the numbers scaled back to nearly 30 million users later on). In regards to the Cambridge Analytica data scandal, Facebook must pay $5 billion fine, following the US Federal Trade Commission (FTC) decision.
My Fitness Pal app also disclosed being the victim of a data breach in 2018 which compromised sensitive data of around 144.000 accounts. Let’s not forget about Twitter’s security glitch announcing that about 32.8 million users’ credentials have been offered for sale on the dark web.
Google was another big victim in 2018 that disclosed the data leak which potentially impacted up to 500,000 accounts. The company also announced to shut down Google+ service. Quora.com also admitted to having suffered a data breach that affected more than 100.000 registered users.
One of the latest victims of the year was Marriott hotels which stated that “ a breach of its Starwood guest reservation database exposed the personal information of up to 500 million people.” With GDPR coming into effect in May 2018, the company is set to face a large penalty of over $123 million. It has been reported that Equifax is also expected to pay around $650 million fine for its data breach.
The first months of 2019 also recorded information about new data breaches coming to light. An alarming breach of this year was the one involving the Australian tech company Canva, which officially announced that hackers “accessed information from their profile database for up to 139 million users”.
Security researchers have found two Amazon cloud servers that had collected Facebook data and over 540 million sensitive information seemed to be leaked.
The Georgia Institute of Technology said it found a vulnerability in a web app which allowed malicious actors to access information of approximately 1.3 million users.
Toyota was another victim of a recent security breach in Japan that might have impacted the personal data of about 3.1 million customers.
StackOverflow site also confirmed a security breach, but no customers data seemed to be exposed.
More data breaches statistics and facts we should reflect on and be more aware of the importance of protecting our data
- In 2018, 1244 data breaches in the US exposed 446,52 million records, increasing significantly from 2014, when only 783 breaches were seen (Statista)
- 70% of US healthcare organizations surveyed said they’ve experienced a data breach in the past (2019 Thales Data Threat Report)
- 89 percent of data breaches happening in 2015 had a financial or espionage reason (Verizon’s 2016 Data breach investigation report)
- Social media platforms counted a high number of data breaches (56%) with Facebook having 2.2 million data compromised, while Twitter 336 million records (2018 ENISA Threat Landscape Report)
- Data breaches compromised 4500 million records in the first half of 2018 ((ENISA Threat Landscape Report)
- The global average cost of a data breach was estimated at $3.62 million, compared to 2015 ($3.79 million) and 2016 ($4.00 million) (2017 Ponemon Institute)
- 43% of data breaches victims were small businesses and 33% of them included social engineering attacks (Verizon 2019 Data Breach Investigations Report)
- 27% of organizations have been leaked as a result of unpatched vulnerabilities (Verizon 2019 Data Breach Investigations Report)
The cost of cybercrime: key statistics
When we talk about the financial costs of cybercrime causing unprecedented damages for both individuals and home users, there are far-reaching implications than we can know or even imagine.
But it’s important to have a look at these worrying numbers below and understand their risks, so we can focus on a proactive behavior to better secure our data and digital assets.
- Cybercrime might be a relatively new business, but it already generates at least $1.5 trillion in revenues every year (Bromium intro the web of profit 2018)
- The cost of data breaches will increase up to $2.1 trillion globally by 2019 (Juniper Research)
- The financial cost of a single successful cyberattack was estimated at around $1.1 million, which represented a 52% increase from the previous year (Trust Factor by Radware, 2018-2019)
- Other staggering cybercrime costs to focus on: “A zero-day Adobe exploit can cost $30,000 / A zero-day iOS exploit can cost up to $250,000. Malware exploit kits cost $200-$600 per exploit. Blackhole exploit kits cost $700 for a month’s leasing or $1,500 for a year. Custom spyware costs $200.” (Bromium intro the web of profit 2018)
- Individual hackers may earn around $30,000 for one or several jobs. Individual earnings from cybercrime are now, on average, 10-15% higher than most traditional crimes. High-earning cybercriminals can make $166,000+ per month” (Bromium intro the web of profit 2018)
If you want to dig deeper into more cybercrime numbers and stats and also acknowledge the real implications of the online criminal landscape, we recommend checking out this up to date list of cybercrime and cybersecurity statistics (2019 edition).
After going through all these stupefying numbers and stats about cybersecurity, we can’t help asking ourselves “How will the cybersecurity landscape look in ten years from now?” if we don’t take action right NOW and apply the basic security measures to be safe online.
Cybersecurity starts with you and me. It’s a collaborative effort and, yes, it comes with responsibilities we have as humans to join forces and contribute to a safer and better world, both online and off.