Security incidents are like snowflakes. Individually, each is a unique variation of a set of repeating patterns, yet over time, they tend to pile up into an unruly mound of a billion or more leaked records of personal data. Given the pervasive effects of a data breach, there are many public resources that do a great job tracking and advising on these numerous security incidents, although it is not always easy to see at a glance what is going on.

Over the years, IBM X-Force has reported on a sampling of security incidents to understand trends and key events. In 2011, in the midst of frequent reports of data leaks, denial-of-service (DoS) attacks and social hacktivism, X-Force declared 2011 the “Year of the Security Breach.” Since that time, we have maintained the security incident bubble chart, a data visualization that provides a graphical representation of security incident activity.

Until now, this has been a static look for the given period and is only updated once or twice a year. This week, IBM X-Force launched an interactive version of this visualization that provides an up-to-date overview of security incidents and a way to filter data based on disclosed attack types, affected industries, financial impact and geography.

Data Breach Tracking

When presented with this kind of information, common questions include, “How many security incidents were reported in the past year?” and, “Have there been more security incidents this year than any previous year?”

Though we have been asked these questions often over the four years since IBM X-Force has tracked data breaches and security incidents, the answer is not so straightforward. It is helpful to consider how security incidents are uncovered and reported. There are generally four primary methods: firsthand knowledge, mandated disclosure, secondhand knowledge and public disclosure.

Firsthand Knowledge

Security vendors, managed security services providers and companies that provide emergency response services are often informed about security incidents that don’t make headlines. These are the people tasked with collecting forensic data, mitigating future exposure and often fixing the problems that led to the data breach in the first place.

Depending on the scope of the incident, these don’t always get covered by the media, and unless ordered by law, they may not be disclosed publicly. Users may individually discover a security incident if they detect suspicious activity of an online account or are unable to access an online service, as is the case in a DoS attack.

Mandated Disclosure

Due to privacy laws in many countries, companies that have discovered the potential loss of data or private information are required to inform their customers. This is particularly true for health care providers and other industries where personally identifiable information (PII) is collected. The severity and impact of these incidents may vary, though. If a USB drive with PII goes missing, it does not automatically mean the information will be used for malicious purposes. In that respect, the full number of these incidents adds to the total but may not indicate increased criminal intent.

Secondhand Knowledge

The effects of a security incident can sometimes become apparent over time, as is the case with the rise of retail breaches in the United States in the past few years. Credit card providers notice an increase in fraudulent activity and can determine whether there is a common merchant connected with the card numbers. In this case, the disclosure becomes public as customers are informed or more details of the data breach are released.

Public Disclosure

As demonstrated by several high-profile incidents over the past year, data stolen from a company can be posted publicly. This might include a user table dump from a website with email addresses and passwords that are often weakly encrypted or in plaintext, or a full dump of intellectual capital, email messages and other sensitive documents.

There are many anonymous websites on which attackers can post this type of information and then inform the world through public platforms such as social media. Given that the information is coming from the attackers, the authenticity of the data can be questionable. Cybercriminals who want to make a name for themselves could post old credentials from previous data breaches to falsely represent a new incident.

Putting It Together

Given the diversity and volume of incidents coming from these various sources, it can be challenging to comprehensively track all security incidents, let alone determine their severity and root cause or find other detailed information. Additionally, every country has different disclosure laws, which makes it difficult to collect incident statistics on a global scale.

Some security vendors produce anonymous reports from firsthand knowledge that give insights into what would otherwise be private information. Additionally, there are several excellent online data loss resources that actively track mandated disclosures, as well as services that comb through public disclosures and dumps to determine whether a given email address has been involved in an incident.

Each of these organizations tracks pieces of the bigger picture, and their data can help analyze trends in increased or decreased volume. However, this still makes it difficult to answer the question of how many incidents occurred this year.

For the interactive security incident visualization, it is worth noting that the total incidents IBM X-Force tracks are less than the total number of all incidents in any given year. While the data represents a variety of incidents and targets, there are some minimum requirements. By excluding unverified dumps from unknown sources and smaller incidents, we can provide a representative sampling of several prominent incidents at a given time but not claim to be a fully comprehensive resource.

By visualizing how security incidents have evolved over time and immersing ourselves in the unique, snowflake-like patterns found within each incident, we can better understand how to better prepare ourselves for future risk awareness and the subsequent actions that help us implement more effective security fundamentals.

Visit the IBM X-Force Interactive Security Incidents Website

More from Threat Research

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Defending Education from Cyber Threat Attackers

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, with many having only small staffs and even smaller budgets for defending against attacks. In addition, attacks have trickle-down effects on school staff, students and…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…