1 Billion Affected by Data Breaches in 2014, Says IBM

Over a billion people were affected by data breaches in 2014, an all-time high, according to a blog post from IBM’s X-Force threat detection network.

“If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of internet security, you wouldn’t be the only one,” wrote IBM’s Leslie Horacek, X-Force threat response manager.

“We witnessed…attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.”

The quarterly report, published on Monday, also logged more than 9,200 new security vulnerabilities affecting more than 2,600 unique vendors in 2014 – the highest single yearly total in the 18 years of the report’s history.

The jaw-dropping figure represents about a 25 percent jump from the same time the year before, with around 800 million records of personal identifying information (PII) being put at risk in 2013.

Horacek was sure to make the distinction that not every PII might belong to a single individual, however even with that small bit aside, the results of this year’s report are still staggering.


Photo: IBM Security Intelligence

The reason for this drastic rise in such a short amount of time, according to IBM, is the plague of unpatched vulnerabilities like Heartbleed and Shellshock.

On their own, these two exploits represented about 15 percent of the total reported breach targets, far outstripping any other malware campaigns that have popped up in the past decade alone.

Other contributors include poor arbitration of problems found on Android by the US-CERT department, as well as what IBM refers to as developer “apathy”, wherein security and privacy often take a backseat to including as many features as possible in a new app or desktop program.

“The [Tapioca] effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks,” added Horacek.

“In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.”

The report also noted the shift in blackhats using what’s called “designer vulnerabilities”. These take the form of exploits made to specifically tailor themselves and their capabilities to a new hot application, device, or piece of media that’s been released or is trending on Google. This increases the chance that someone may download a file they don’t recognize as long as it has a reference to something they know about beforehand.

Regardless of all the doom and gloom in its report, IBM says we should says we should still remain optimistic about the possibilities that 2015 might bring.

With the worst (seemingly) behind us, Horacek believes both Shellshock and Heartbleed taught the industry a valuable lesson that had taken too long to learn. Now that problems like these have rocketed to the front of programmers’ minds, we should (at least in theory) see the first drop in these numbers since IBM first started keeping track.