March 19, 2015 By Jason Kravitz 4 min read

Security incidents are like snowflakes. Individually, each is a unique variation of a set of repeating patterns, yet over time, they tend to pile up into an unruly mound of a billion or more leaked records of personal data. Given the pervasive effects of a data breach, there are many public resources that do a great job tracking and advising on these numerous security incidents, although it is not always easy to see at a glance what is going on.

Over the years, IBM X-Force has reported on a sampling of security incidents to understand trends and key events. In 2011, in the midst of frequent reports of data leaks, denial-of-service (DoS) attacks and social hacktivism, X-Force declared 2011 the “Year of the Security Breach.” Since that time, we have maintained the security incident bubble chart, a data visualization that provides a graphical representation of security incident activity.

Until now, this has been a static look for the given period and is only updated once or twice a year. This week, IBM X-Force launched an interactive version of this visualization that provides an up-to-date overview of security incidents and a way to filter data based on disclosed attack types, affected industries, financial impact and geography.

Data Breach Tracking

When presented with this kind of information, common questions include, “How many security incidents were reported in the past year?” and, “Have there been more security incidents this year than any previous year?”

Though we have been asked these questions often over the four years since IBM X-Force has tracked data breaches and security incidents, the answer is not so straightforward. It is helpful to consider how security incidents are uncovered and reported. There are generally four primary methods: firsthand knowledge, mandated disclosure, secondhand knowledge and public disclosure.

Firsthand Knowledge

Security vendors, managed security services providers and companies that provide emergency response services are often informed about security incidents that don’t make headlines. These are the people tasked with collecting forensic data, mitigating future exposure and often fixing the problems that led to the data breach in the first place.

Depending on the scope of the incident, these don’t always get covered by the media, and unless ordered by law, they may not be disclosed publicly. Users may individually discover a security incident if they detect suspicious activity of an online account or are unable to access an online service, as is the case in a DoS attack.

Mandated Disclosure

Due to privacy laws in many countries, companies that have discovered the potential loss of data or private information are required to inform their customers. This is particularly true for health care providers and other industries where personally identifiable information (PII) is collected. The severity and impact of these incidents may vary, though. If a USB drive with PII goes missing, it does not automatically mean the information will be used for malicious purposes. In that respect, the full number of these incidents adds to the total but may not indicate increased criminal intent.

Secondhand Knowledge

The effects of a security incident can sometimes become apparent over time, as is the case with the rise of retail breaches in the United States in the past few years. Credit card providers notice an increase in fraudulent activity and can determine whether there is a common merchant connected with the card numbers. In this case, the disclosure becomes public as customers are informed or more details of the data breach are released.

Public Disclosure

As demonstrated by several high-profile incidents over the past year, data stolen from a company can be posted publicly. This might include a user table dump from a website with email addresses and passwords that are often weakly encrypted or in plaintext, or a full dump of intellectual capital, email messages and other sensitive documents.

There are many anonymous websites on which attackers can post this type of information and then inform the world through public platforms such as social media. Given that the information is coming from the attackers, the authenticity of the data can be questionable. Cybercriminals who want to make a name for themselves could post old credentials from previous data breaches to falsely represent a new incident.

Putting It Together

Given the diversity and volume of incidents coming from these various sources, it can be challenging to comprehensively track all security incidents, let alone determine their severity and root cause or find other detailed information. Additionally, every country has different disclosure laws, which makes it difficult to collect incident statistics on a global scale.

Some security vendors produce anonymous reports from firsthand knowledge that give insights into what would otherwise be private information. Additionally, there are several excellent online data loss resources that actively track mandated disclosures, as well as services that comb through public disclosures and dumps to determine whether a given email address has been involved in an incident.

Each of these organizations tracks pieces of the bigger picture, and their data can help analyze trends in increased or decreased volume. However, this still makes it difficult to answer the question of how many incidents occurred this year.

For the interactive security incident visualization, it is worth noting that the total incidents IBM X-Force tracks are less than the total number of all incidents in any given year. While the data represents a variety of incidents and targets, there are some minimum requirements. By excluding unverified dumps from unknown sources and smaller incidents, we can provide a representative sampling of several prominent incidents at a given time but not claim to be a fully comprehensive resource.

By visualizing how security incidents have evolved over time and immersing ourselves in the unique, snowflake-like patterns found within each incident, we can better understand how to better prepare ourselves for future risk awareness and the subsequent actions that help us implement more effective security fundamentals.

Visit the IBM X-Force Interactive Security Incidents Website

More from X-Force

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today