With every passing year, hackers are becoming more sophisticated not just in the technologies that they use to carry out their attacks, but also in ways that they spot potential new attack surfaces. That’s one of the big takeaway trends from Experian’s seventh annual “Data Breach Industry Forecast 2020,” which outlines five key data breach trends to keep an eye on over the next 12 months.
Top five data breach trends
At the top of the list of new trends is text-based “smishing” attacks, in which nefarious hackers use SMS text messages to carry out phishing attacks against unsuspecting users. As Experian points out in its data breach trends report, “smishing” is a term coined by the U.S. Federal Trade Commission (FTC), which has been keeping tabs on the ways that hacking groups are now sending fraudulent messages via SMS as part of identity theft attacks or to hack into personal financial accounts. These “smishing” attacks work best, says Experian, in communities where barriers to trust are low. These include online communities active on social media around certain social causes, as well as online communities around political candidates. An urgent request to raise campaign funds for a political campaign, in fact, might actually be a fraudulent phishing SMS text.
Moreover, hackers are experimenting with emerging new technologies to carry out their attacks. Another trend cited in the Experian data breach trends report, for example, is the “hacker in the sky” attack involving drones. According to Experian, there are now more than 1 million consumer drones in the U.S., and any of them could be hooked up with tiny hand-held devices known as “pineapples” to break into unsecure Wi-Fi networks. This is particularly the case in densely crowded urban landscapes, where municipalities have invested in free Wi-Fi networks. Unfortunately, these free Wi-Fi networks are rarely protected, and drones circling overhead could easily “snoop” on unsuspecting users below.
And drones are not the only new emerging technology that hackers are using, according to the new data trends report. For example, some cybercriminals are experimenting with so-called “deepfake” technology (a term coined in Reddit online forums in 2017), in which artificial intelligence (AI) algorithms are used to create false identities. Cybercriminals might choose to use deepfakes to manipulate corporate shareholders (such as by altering videos of CEOs and other corporate leaders) or even cause geopolitical confusion and chaos. To illustrate this technology in action, Experian cites a video of German Chancellor Angel Merkel and U.S. President Donald Trump, and another video of former U.S. President Barack Obama being manipulated by actor Jordan Peele.
The new data breach trends report from Experian also cites the risks of mobile point-of-sale systems, especially at crowded venues such as music concerts and sporting events. Experian suggests that mobile payment systems used at these venues could be hacked into, or payments fraudulently processed. By 2023, mobile payments will be a $4.5 trillion industry, so the attack surface is widening exponentially for attackers. The more people who use their mobile phones to make payments on the go, the more opportunities that hackers will have to profit from mobile payment hacks.
Finally, the Experian data breach trends report highlights potential risks posed by entirely new industries, such as those based around cannabis and cryptocurrencies. In one form of attack envisioned by Experian, nefarious hackers will emulate the tactics of online “hacktivists” in order to disrupt these industries. In some cases, they may be doing so simply as a form of protest. But in other cases, they may be looking for new paths to profitability. Cannabis retail distribution centers, for example, could become the victim of so-called “supply chain attacks” as hackers look for the weak link in the cannabis supply chain.
2019 data breach trends in hindsight
Admittedly, some of these data breach “trends” are highly speculative in nature. But they give a good idea of how quickly technology is changing, and how hackers are responding. At the very least, the new 2020 data breach trends report should be a wake up call to CEOs and corporate boards that hackers are really stepping up their game in order to stay one step ahead of the “good guys.” More needs to be done to protect personal information, prevent compromised records from falling into the wrong hands, and breach incidents from escalating.
In its 2019 data breach trends report, Experian also made a number of forward-looking prognostications involving hacker threats. For example, Experian predicted the rise of “biometric hacking” as well as a major, sustained attack on a leading U.S. wireless carrier. Experian also predicted an enterprise-wide attack on a major financial institution’s national network as well as a major breach at a top cloud vendor.
To some extent, these data breach predictions have come true, although to less of an extent than Experian originally predicted. 2019 saw ransomware attacks carried out against a variety of organizations, including the healthcare industry and the financial services industry. The year also saw sensitive data – including personally identifiable information (PII) falling into the wrong hands and trafficked across the Dark Web in record numbers. At the same time, the average cost of a data breach continues to rise.
How to respond to these new data breach trends
With this increasingly complex cyber threat matrix, organizations need to be taking proactive data security steps headed into 2020. On top of a basic security layer to prevent security breaches, they need to be investing in employee training. After all, no matter how good the technology is that guards a company, it could all be worthless if employees are unable to spot phishing or “smishing” attacks. Moreover, organizations need to be keeping on top of the latest hacking threats. Thus, they need to check whether or not they might be vulnerable to breaches of their mobile point-of-sale systems, especially in terms of credit cad data.
Moreover, as the Experian data breach trends report points out, organizations need to be lining up third-party vendors (such as law firms and forensics firms) that can help them immediately in the event of a data breach. Even for small businesses, response plans need to be very detailed. And, finally, organizations need to be keeping up with new legislation, such as the GDPR and CCPA. Each new piece of legislation introduces changes to the overall cyber threat landscape.
Without a doubt, the size and scope of attacks continues to grow based on data breach statistics. According to Experian, there have now been 10,800 data breaches reported over the past 9 years. 2018 was a record-breaking year, but 2019 is now shaping up to be an even worse year for data breaches. It is now more important than ever for organizations to keep up with data breach trends and upgrade their defensive cyber capabilities in response.