Three Take-Home Lessons from Data Breaches Past

December 1, 2021

  • Hacker breaches and the numbers of records compromised are increasing at a dramatic rate and are predicted to triple year-over-year.
  • Organizational risks fall into three general categories.
  • Complete visibility into your data sources helps quickly discover and remediate incidences of abnormal data exfiltration.
  • Robust malware detection/prevention capabilities make it hard to install and spread malware on end-user machines.


Anyone who follows cybersecurity trends can see that hackers are striking more frequently than ever before. In Lessons Learned from Analyzing 100 Data Breaches, Imperva’s research labs observed that in January 2021 alone more than 870 million records were compromised through data breaches. This is more than the total number of compromised records for the entirety of 2017. We have also seen a constant increase in the number of data breaches – more than 30% each year, with the number of records compromised rising by an average of 224% per breach. Based on this trend, Imperva estimates that we will see around three times more records stolen year-over-year.


A closer analysis of the causes of the breaches shows three main areas where organizations make mistakes when attempting to safeguard data. Cybercriminals are becoming increasingly sophisticated and more difficult to stop, but there are basic mitigation strategies that, when enabled properly, can help any organization create a harder target for bad actors. In this post, we will look at these areas and discuss what organizations can do to shore up their security posture and avoid the costly mistakes that lead to breaches and data compromise.


1: Leaving sensitive personal data unprotected. Hackers can only steal data that’s available for them to take. Around 75% of all stolen data was sensitive personal information. Almost 15% of breaches resulted in password credentials being stolen and nearly 10% resulted in the theft of credit card details. Organizations, in general, do a better job protecting password credentials and credit card details because they have the most immediate value to cybercriminals. This suggests that many organizations don’t have sufficient protection to secure personal data. This is partly because personal data is routinely moved between systems, people and suppliers to perform common business tasks. As regulations governing data privacy get tougher, it will be critical for organizations to discover, identify and classify personal data across all their data sources. In order to do so, organizations have to know where it is and what applications and users are accessing it. With that level of intelligence, they can extend their security controls that protect it.


2: Not securing publicly accessible services. While a majority of data breaches begin in web applications, Imperva’s Research Labs report 15% of these have their cause in “publicly accessible” services. This is not surprising, as more companies move their operations and workloads to the cloud publicly open services can be easy prey for malicious hackers. In most cases, this isn’t a failure of security practices, but rather a total absence of security posture. The reasons for this include unknowingly leaving systems open to public access, misconfiguring cloud environments, vendor defaults, etc. Public cloud services have many moving parts, including short-lived cloud instances and containers, elastic data volumes and cluster-based assets (like data warehouses). To protect these assets, organizations need to ensure they are visible. Businesses should make sure that the public cloud services they use maintain regular updates and security patches, which is especially important if there are known vulnerabilities that have not been resolved. Never assume a service is configured correctly. Configurations can change as applications and cloud resources are updated and as workflows or users change. Security teams should regularly review cloud configurations to be sure there have been no accidental changes and that any changes are safe.


3: Not knowing your attacker. Cyber attackers are commonly split into two groups: “inside threats” and “outside threats.”


The “insider” (or internal) is generally activated when employees leave data exposed, either maliciously or by mistake/oversight. For malicious inside attackers, the motive is usually money, often accompanied by a personal dislike for the organization. The malicious insider usually has access to assets or credentials and is less suspicious than an outside threat. The best way to mitigate malicious insider threat risk is to make sure employees aren’t sharing passwords internally (or worse externally). It’s important to be sure that they’re properly logging out of environments that contain sensitive data when they’re done working. Secondly, it’s important for security teams to constantly monitor user permissions and privilege levels of sensitive data access. Security teams should have sufficient visibility into data sources to know what constitutes normal data use. For example, if an internal user who has never accessed a sensitive data source before suddenly starts downloading a lot of sensitive data, security teams should be made aware automatically.


“Outsiders” run two basic plays. One, quickly identify an opportunity – a vulnerability, a publicly open database or something else – grab what’s there and leave. These attackers won’t search for other databases, penetrate your network or try to execute exotic exploits. They just take what they can and sell it to the highest bidder.


Two, play the long game. These attackers “hang around” waiting for the right time to steal personal data they can correlate and turn into personally identifiable information (PII), which has more long-term value.


In either case, complete visibility into your organization's data sources helps quickly discover and remediate incidences of abnormal data exfiltration. It’s also important to have robust malware detection/prevention capabilities, which make it hard to install and spread malware on end-user machines. Businesses should be sure that privileged users are changing passwords frequently and consider a zero-trust network to complement robust data security controls.


No security posture can guarantee your organization won’t experience a data breach or lose data to cybercriminals. However, you can leverage technology to cut off hackers’ paths to your data. If they do get to it, you mitigate the frequency of breaches and the volume of data available.

Ron Bennaten
SVP & GM for Data Security | Imperva
Ron joined Imperva through the acquisition of jSonar, where he served as CTO and co-founder. He has been a “data security guy” for 25 years and has worked at companies such as J.P. Morgan, Merrill Lynch, Intel, IBM and AT&T Bell Labs. He was co-founder and CTO at Guardium, which was acquired by IBM, where he later served as a Distinguished Engineer and the CTO for Data Security and Governance. He has a Ph.D. in Computer Science and has authored 11 technical books.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit