IT Governance’s research has found the following for November 2023:
- 470 publicly disclosed security incidents.
- 519,111,354 records known to be breached.
The number of incidents is particularly high this month, partly because we’ve improved our incident-finding processes, but also partly because we’ve seen several big supply chain attacks this month.
In these cases, a service provider suffered a cyber attack, which had a knock-on effect on numerous other organisations. For example, UK service provider CTS suffered a cyber incident this month, which affected around 80 of its clients too (UK law firms).
Data Breach Dashboard
For a quick, one-page overview of this month’s findings, please use our Data Breach Dashboard:
Note: From this month, zero-day vulnerabilities are excluded from the ‘unpatched or misconfigured’ category. This is part of the reason this category is lower than last month (24% vs 32%).
You’ll also be able to download this in the near future, along with the month’s data (and our sources).
This blog provides analysis of the data we’ve collected. We also discuss the biggest breaches on our 2023 overview of publicly disclosed data breaches and cyber attacks.
High-level overview
Of November’s 470 incidents, we know the following:
Remediation
- 48% of breached organisations reported taking remedial action this month – a noticeably lower percentage than last month’s 61%. This typically included conducting a forensic analysis to establish exactly what happened (often by engaging a third-party specialist). It usually also involved temporarily taking down systems to limit the impact of the security breach.
Data exfiltration
- 54% of breached organisations are known to have had data exfiltrated – roughly on a par with last month’s 53%.
- An additional 45% may have had data exfiltrated – significantly more than last month’s 30%.
- Only 1% have either concluded that no records were breached, or that the breach didn’t involve a criminal – significantly fewer than last month’s 18%.
Records breached
- For 44% of disclosed incidents, a specific number of records breached was reported – a decrease on last month’s 53%.
Note: This includes security incidents where we know no records were breached.
- For a further 14% of disclosed incidents, we know that data has been exfiltrated, but we have no information on specific numbers. This isn’t too different from last month’s 18%.
Notification
- 32% of breached organisations notified a regulator – fewer than last month’s 49%.
- 31% notified affected individuals – again, fewer than last month’s 53%.
Both these drops compared to last month may appear worrying, but it’s possible that these are at least partially down to us changing our processes so we can find more publicly disclosed incidents. Equally, there were so many incidents towards the end of this month that it’s possible that the organisations simply haven’t got round to the reporting stages yet.
Top 10 biggest breaches
# | Organisation name | Known number of records breached |
1 | Kid Security | 300,000,001 |
2 | SAP SE Bulgaria | 95,592,696 |
3 | TmaxSoft | 56,000,001 |
4 | WeMystic | 13,300,000 |
5 | NTT Business Solutions | 9,000,000 |
6 | Perry Johnson & Associates | 8,952,212 |
7 | Welltok | 8,493,379 |
8 | Shimano | 4,500,000 |
9 | Autobindo Pharma | 3,700,000 |
10 | Zeroed-In Technologies | 1,977,486 |
Note: Where ‘around’, ‘about’, etc. is reported, we record the rounded number. Where ‘more than’, ‘at least’, etc. is reported, we record the rounded number plus one. Where ‘up to’, etc. is reported, we record the rounded number minus one.
Sector overview
We’ve now expanded our sector categories, thereby decreasing the size of the ‘other’ category. Including ‘other’ and ‘unknown’, we now have 16 sector categories. We’ll provide a full breakdown of these in our interim and annual reports.
For our monthly analyses, we’ll just look at the top 3.
Top 3 most-breached sectors (by number of incidents)
# | Sector | Incidents | |
1 | Legal | 89 | 19% |
2 | Healthcare | 58 | 12% |
3 | Technology | 35 | 7% |
Technically speaking, ‘unknown’ is the most-breached sector with 91 incidents, but to ensure that the above table is as informative as possible, we left it out of the table. These 91 incidents come from just 2 third-party security breaches:
- 64 organisations with Docker Hub accounts that were affected by Kubernetes Secrets being left exposed to the Internet in public GitHub repositories.
- 27 Israeli organisations with e-commerce websites, likely in either the retail or manufacturing sector, but we can’t be sure at this time. In total, 40 Israeli organisations were affected by the cyber attack against website hosting company IT-Signature, 13 of which have so far been identified.
After the ‘unknown’ sector, it is interesting to see ‘legal’ ranking in the top spot, considering that it was near the bottom last month. This is largely due to the aforementioned supply chain attack (via CTS) that affected around 80 UK law firms.
Healthcare also ranked high last month – the second-most breached sector after ‘other’. This isn’t overly surprising: healthcare organisations are a popular target for cyber criminals, as they hold a lot of highly sensitive data, often not particularly well-secured, especially with smaller providers. Furthermore, thanks to laws like HIPAA (the Health Insurance Portability and Accountability Act), data breaches in the healthcare sector are more likely to be reported.
We weren’t recording the technology sector as its own category last month, but it suffered a comparatively large number of incidents this month compared to other sectors. More notably, however, it ranked as the most-breached sector by number of records known to be breached.
Top 3 most-breached sectors (by number of records)
# | Sector | Known number of records breached |
1 | Technology | 486,177,015 |
2 | Healthcare | 10,970,485 |
3 | Media and telecoms | 9,000,000 |
The vast majority of this month’s records known to be breached were in the technology sector – 94%, to be exact.
You could also argue that it’s surprising that only 2% of records known to be breached this month were in healthcare, considering how much sensitive data it holds, and that 12% of the month’s publicly disclosed incidents were in this sector.
This is partly caused by how these incidents tend to be reported: stating only the number of individuals impacted, as opposed to the actual number of records compromised. On the other hand, several of the larger breaches in the technology sector this month involved unsecured databases containing millions of records, and are reported as such. We do our best to report the data as accurately and consistently as we can, but as we’re dependent on the information available in the public domain, there’s very little we can do about this.
It can also be down to the month in question. For instance, in November, Henry Schein, a healthcare solutions giant, reported an update on its October ransomware attack – specifically, that 35 TB of sensitive data had been stolen (which we convert to 35 million records).* But as the initial report on this attack came out in October, we added this breach to last month’s data, which will be accounted for in our interim and annual reports, but not in our monthly analysis due to the timing of this update.
Media and telecoms is a surprising third place, as it only had three known incidents this month – less than 1% of the total across all sectors. This really comes from just one large breach from NTT Business Solutions, where a former temporary employee illegally accessed about 9 million records over the course of a decade.
*For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (for instance, pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.
Other noteworthy findings
Top attack types
Ransomware
- Like last month, among the publicly disclosed incidents where we know the attack/breach type, ransomware ranked the highest, though at a lower percentage than last month: 17% (November) vs 26% (October) out of all disclosed incidents.
- This remains lower for November if we exclude incidents with unknown causes: 24% (November) vs 31% (October).
- The even better news is that far fewer records have been known to be breached this month as the result of ransomware: 13,949,033 (November) vs 55,862,057 (October, with updated information as new reports came through, especially on the Henry Schein incident). This reflects 3% of November’s total and 6% of October’s total.
Misconfigurations and not patching
- Misconfigurations and not patching were the next-two biggest causes for this month’s publicly disclosed incidents, at 16% and 9% respectively. These figures are similar to last month’s, at 15% and 10% respectively.
- Perhaps more shocking are the numbers of records known to be breached as the result of misconfigurations in particular: 465,894,247 for this month, or 90% of all records known to be breached this month.
- Although still high, these numbers are less alarming for not patching: 1,903,192 – less than 1% of the month’s total.
Zero-day vulnerabilities
- Zero-day vulnerabilities ranked fourth this month at 8%. We didn’t track this as a separate category last month, but have now backtracked October’s data, and found that zero-day vulnerabilities accounted for 6% – also fourth spot in that month if we exclude ‘unknown’ and ‘other’ attack types.
- MOVEit contributed to just under half of this month’s zero-day exploits with 16 incidents, or 3.4%. Another significant contributor was a coordinated attack on 22 Danish critical infrastructure organisations.
- Zero-day vulnerabilities accounted for nearly 14 million records known to be breached this month – 13,946,997 records, to be exact. This is significantly up from last month’s 1,476,181 records.
Zero-day vulnerabilities are extremely difficult to defend against, as they don’t yet have a patch available, and the victims may not be aware that the vulnerability exists. This is a key reason we’ve decided to track this as a separate category, rather than group it under ‘unpatched’ in general.
Accidental data breaches
- Last month, just 15 security incidents or data breaches were caused accidentally (as opposed to originating from an attack conducted with criminal intent). This month, this increased to 87 incidents.
- The percentage changes from last to this month are less extreme: from 13% to 19%. Nevertheless, that 19% figure means that nearly one in five incidents this month were clearly preventable. This covers various scenarios, ranging from human error (like not using Bcc) to leaving databases unprotected.
- However, the more shocking statistic is the known number of records breached accidentally: 465,933,471 records, or 90% of the total. Last month, this was only 12,878,510 records, or 1.5% of the total. This month’s number is so high due to multiple large, unsecured databases, including from Kid Security, SAP SE Bulgaria and TmaxSoft, although there is no evidence that a malicious actor has accessed them.
Note: In the case of such unprotected databases, we only log these as ‘accidental’ where a non-malicious actor such as a security researcher discovers this, and it isn’t known whether a malicious actor accessed the data. If we do know, or have evidence that suggests, that a malicious actor has accessed and perhaps even exfiltrated the data, we categorise the incident as ‘criminal’.
Third-party attacks
- A staggering 48% of publicly disclosed incidents originated from a third party this month – a huge increase on last month’s 18%.
- When we look at just the absolute numbers, the increase is even more stark: 21 incidents in October vs 227 incidents in November – more than a 10-fold increase.
- You might think that these numbers are skewed by MOVEit, as it still seems to be regularly covered in the news, but this particular supply chain attack only accounted for 16 of this month’s 227 third-party incidents, or 7%.
It can be challenging to secure your supply chain – organisations tend to simply trust that the products and services they use are safe. But where they aren’t, every organisation that uses them can be at risk, with potentially far-reaching consequences. We’ve certainly seen this in this month’s findings, with nearly half of all incidents originating from the supply chain.
Most-affected geographical locations
- Like last month, the USA suffered the most public disclosed incidents by far this month: 185 of incidents, or 39%. Although this is down on last month’s 51%, it’s clearly still a high figure. However, just as in October, this translated to relatively few records breached: 30,879,890 – 6% of November’s total. We’ll publish a separate USA report for November later this week, so keep an eye on our IT Governance USA blog.
- The second-most affected region was the UK, again, largely due to the supply chain attack affecting 80 UK law firms. The total was 89 incidents, or 19%.
- Another region worth mentioning is APAC. Although it’s such a large region, it only suffered 6% of this month’s incidents. However, that accounted for 376,812,001 records known to be breached, or 73% of the total. In October, we saw a similar disproportionate impact, with 827,493,024 records known to be breached, or 95% of the total.