The volume of compromised records globally has increased on average by 224% each year since 2017, according to new findings shared by Imperva.
In light of the GDPR’s third anniversary this week, the data security firm crunched statistics on thousands of breaches over the past few years to better understand the evolving risk to businesses.
There were more records reported as compromised in January 2021 alone (878 million) than for the whole of 2017 (826 million).
Alongside the increase in this figure over the past four years, there’s been a 34% rise in the number of reported breaches over the period, and a 131% increase in average number of compromised records per incident, said Imperva security researcher, Ofir Shaty.
“We are living in a digitization era in which more services are consumed on a daily basis, with the majority of them online. More businesses are migrating to the cloud which makes them more vulnerable if not done carefully. The amount of data that is out there is enormous, and it is increasing every year,” he said.
“Information security adoption is slower than the adoption of digital services that make profit from the addiction to and consumption of the same online services. The increasing number of breaches every year is a result of this gap.”
Imperva is predicting that this year will see around 1500 data breach incidents and 40 billion records compromised.
These aren’t all the result of malicious third parties stealing information from victim organizations.
Misconfiguration of cloud services has also driven a spike in data leaks. Of the 100 biggest incidents over the past decade, Imperva claimed 42% came from Elasticsearch servers, a quarter (25%) from AWS S3 buckets and 17% from MongoDB deployments.
Tools like Shodan and open source apps like LeakLocker are making the discovery of such leaks increasingly easy, Shaty warned.
“The security of an organization is only as strong as the weakest link in the security chain. Many times, the ‘walls’ that protect databases have cracks that allow attackers to put their hands on sensitive data,” he concluded.
“In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control. We suggest that organizations implement security for the databases they manage, not just the applications and networks that surround them.”