In addition to nine “mega-breaches” of personal data in 2015, tens of millions of personal records were likely exposed or stolen by cyber criminals the same year but went unreported because the companies or entities involved chose to keep the size of the breach a secret, according to a new cyber security report.
The report from California-based Symantec said that the number of companies that refused to report the scope of a data breach jumped by 85 percent last year, what one senior Symantec officer said was a “disturbing trend.” The cyber security firm said that some 429 million personal records were exposed in 2015 -- many of them through mega-breaches like the Office of Personnel Management hack and one that reportedly hit a huge voter database -- but that number is only based on entities that shared the scope of the breach. Symantec estimates that the real number of exposed or stolen records, including those that went unreported, likely tops half a billion.
“Transparency is critical to security,” Symantec Security Response Director Kevin Haley said in a written statement. “By hiding the full impact of an attack, it becomes more difficult to assess the risk and improve your security posture to prevent future attacks.”
The Symantec report, released today, also revealed a shocking increase in the sophistication of cyber-criminal groups. For instance, the firm said it could identify an unprecedented 54 so-called “zero-day” exploits discovered in 2015 – more than in the last two years combined. Zero-days, which are weaknesses in a program, system or device that have never been seen before, can be incredibly valuable on the cyber-black market. At least four such zero-day exploits were reportedly used in the cyber-attack on an Iranian nuclear facility a few years ago.
“Given the value of these vulnerabilities, it’s not surprising that a market has evolved to meet demand,” the report says. “In fact, at the rate that zero-day vulnerabilities are being discovered, they may become a commodity product.”
Samir Kapuria, Senior Vice President and General Manager at Symantec’s Cyber Security Services, told ABC News that the research shows cyber-crime has moved on from its “start-up phase.”
“As a growth business, these guys have figured out how to make money,” Kapuria said.