Security incidents are like snowflakes. Individually, each is a unique variation of a set of repeating patterns, yet over time, they tend to pile up into an unruly mound of a billion or more leaked records of personal data. Given the pervasive effects of a data breach, there are many public resources that do a great job tracking and advising on these numerous security incidents, although it is not always easy to see at a glance what is going on.

Over the years, IBM X-Force has reported on a sampling of security incidents to understand trends and key events. In 2011, in the midst of frequent reports of data leaks, denial-of-service (DoS) attacks and social hacktivism, X-Force declared 2011 the “Year of the Security Breach.” Since that time, we have maintained the security incident bubble chart, a data visualization that provides a graphical representation of security incident activity.

Until now, this has been a static look for the given period and is only updated once or twice a year. This week, IBM X-Force launched an interactive version of this visualization that provides an up-to-date overview of security incidents and a way to filter data based on disclosed attack types, affected industries, financial impact and geography.

Data Breach Tracking

When presented with this kind of information, common questions include, “How many security incidents were reported in the past year?” and, “Have there been more security incidents this year than any previous year?”

Though we have been asked these questions often over the four years since IBM X-Force has tracked data breaches and security incidents, the answer is not so straightforward. It is helpful to consider how security incidents are uncovered and reported. There are generally four primary methods: firsthand knowledge, mandated disclosure, secondhand knowledge and public disclosure.

Firsthand Knowledge

Security vendors, managed security services providers and companies that provide emergency response services are often informed about security incidents that don’t make headlines. These are the people tasked with collecting forensic data, mitigating future exposure and often fixing the problems that led to the data breach in the first place.

Depending on the scope of the incident, these don’t always get covered by the media, and unless ordered by law, they may not be disclosed publicly. Users may individually discover a security incident if they detect suspicious activity of an online account or are unable to access an online service, as is the case in a DoS attack.

Mandated Disclosure

Due to privacy laws in many countries, companies that have discovered the potential loss of data or private information are required to inform their customers. This is particularly true for health care providers and other industries where personally identifiable information (PII) is collected. The severity and impact of these incidents may vary, though. If a USB drive with PII goes missing, it does not automatically mean the information will be used for malicious purposes. In that respect, the full number of these incidents adds to the total but may not indicate increased criminal intent.

Secondhand Knowledge

The effects of a security incident can sometimes become apparent over time, as is the case with the rise of retail breaches in the United States in the past few years. Credit card providers notice an increase in fraudulent activity and can determine whether there is a common merchant connected with the card numbers. In this case, the disclosure becomes public as customers are informed or more details of the data breach are released.

Public Disclosure

As demonstrated by several high-profile incidents over the past year, data stolen from a company can be posted publicly. This might include a user table dump from a website with email addresses and passwords that are often weakly encrypted or in plaintext, or a full dump of intellectual capital, email messages and other sensitive documents.

There are many anonymous websites on which attackers can post this type of information and then inform the world through public platforms such as social media. Given that the information is coming from the attackers, the authenticity of the data can be questionable. Cybercriminals who want to make a name for themselves could post old credentials from previous data breaches to falsely represent a new incident.

Putting It Together

Given the diversity and volume of incidents coming from these various sources, it can be challenging to comprehensively track all security incidents, let alone determine their severity and root cause or find other detailed information. Additionally, every country has different disclosure laws, which makes it difficult to collect incident statistics on a global scale.

Some security vendors produce anonymous reports from firsthand knowledge that give insights into what would otherwise be private information. Additionally, there are several excellent online data loss resources that actively track mandated disclosures, as well as services that comb through public disclosures and dumps to determine whether a given email address has been involved in an incident.

Each of these organizations tracks pieces of the bigger picture, and their data can help analyze trends in increased or decreased volume. However, this still makes it difficult to answer the question of how many incidents occurred this year.

For the interactive security incident visualization, it is worth noting that the total incidents IBM X-Force tracks are less than the total number of all incidents in any given year. While the data represents a variety of incidents and targets, there are some minimum requirements. By excluding unverified dumps from unknown sources and smaller incidents, we can provide a representative sampling of several prominent incidents at a given time but not claim to be a fully comprehensive resource.

By visualizing how security incidents have evolved over time and immersing ourselves in the unique, snowflake-like patterns found within each incident, we can better understand how to better prepare ourselves for future risk awareness and the subsequent actions that help us implement more effective security fundamentals.

Visit the IBM X-Force Interactive Security Incidents Website

More from Threat Research

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read