Translated by
2019/02/19 16:07:28

Date leaks

With development of information systems of threat, proceeding from the staff of the organizations (insiders), became very serious long ago, and the damage from their actions is calculated by tens of billions of dollars. Constantly the flow of messages about the incidents connected with violation of the obligations and the rights by authorized users who intentionally sabotage the company grows and transfer information to competitors. At the same time also the business environment which relies upon outsourcing, the contract companies and third-party technology platforms more and more that leads to the fact that valuable business information becomes available to increasing number of people changes. In case of insider leaks access control and defense of perimeter will not help, the wrecker already is in perimeter.


Financial losses from leaks

Main article: Losses from date leaks

Financial losses from date leak cause an essential loss to business of the company, and can sometimes destroy it. If criminals cannot receive the redemption from the company, they offer data for sale. In more detail in article:

Leaks in Russia

Main article: Information leaks in Russia

Loud leaks

Below statistical data on information leaks are provided. Notorious incidents of information leaks are described in article:

Date leaks in a public sector

Main article: Date leaks in a public sector

Date leaks in medical institutions

Main article: Date leaks in medical institutions

The chronicle of incidents in the world

2019: Leakage of 30 billion records of personal data for the last 12 years

On January 28, 2019 the analytical center InfoWatch prepared the special digest devoted to the International day of personal data protection.

The event originates on April 26, 2006 when the Committee of ministers of the Council of Europe founded special date in honor of signing on January 28, 1981. Conventions "About Protection of Persons in connection with the Automated Data Processing".

The international day of personal data protection it is designed to draw the attention of society to such subjects as protection of personal information, personal privacy and also the principles of storage, processing and transfer of PDN.

In 12 years which passed from the first day of personal data protection, InfoWatch registered 14.3 thousand leaks of confidential information from business companies and the state organizations. More than 11 thousand leaks (78% from all base) are connected with cases of a compromise of personal data: Full name, addresses, e-mail, passport data, data on education, information on income, data on the state of health, political and religious views, national identity, biometric data.

Despite efforts which are made by the state regulators, business and public organizations it is not possible to stop an avalanche of leaks in the conditions of mass digitalization yet. In total since 2007 for January, 2019 more than 30 billion records of personal data, including more than 20 billion in the last two years flowed away.

Even small date leak can have a serious impact on the organization. The main negative effects – falling of share price, a crisis of confidence of investors and blow to reputation in the market. Besides, the company can face sanctions of regulators (large fines, passing of statutory audits, plans for upgrade of infrastructure of cybersecurity, etc.) and class actions from people whose data it did not manage to save from leak.

For subjects of personal data of an effect of leaks can be quite painful too. A lot of things depend on type of the compromised information and on its volume. For example, if someone merged to unfair advertisers the e-mail address of the person, then receiving spam will only become a negative effect for the user, most likely. In the same case if in hands of malefactors there is a big range of personal information on a separate subject, then the fraud risk is big. Criminals can make certain actions on behalf of the person of whose information they took control, forgery and credit fraud are also probable.


48% of the attacks were in the fourth quarter directed to data acquisition

In the IV quarter 2018 the number of notifications on personal data leakages continued to grow, the social engineering was used in every third attack, reported in Positive Technologies company on February 19, 2019. Besides, specialists of expert center of security Positive Technologies detected the hacker group aimed at the Russian banks.

According to the research, the number of notifications on personal data leakages continues to grow. Specialists explain it with enforcement of General Data Protection Regulation — the legal act setting rules of personal data protection of citizens of the EU. The companies which were held back incidents earlier after news of the first penalties and warnings will probably begin to notify more willingly clients on cyber attacks, analysts of Positive Technologies consider.

In the IV quarter of the last year 48% of the attacks were directed to data acquisition. It is interesting that during a half of them malefactors used the malware. First of all, (these are 28% of the attacks) criminals were interested in credentials (logins, passwords) for access to different services and systems, including to e-mail of staff of the companies.

The share of the purposeful attacks continued to grow: it made 62%. Experts note that malefactors even more often use "individual approach" for attacks to the organizations, and individuals suffer from large-scale infections with the malware. A third of the attacks on individuals was aimed at data acquisition. The greatest interest for malefactors provide credentials (in 60% of cases steal them), noted in Positive Technologies.

The share of the incidents which brought to criminals a sure pecuniary benefit grew by 6% in comparison with last quarter. In the IV quarter specialists of Expert center of security Positive Technologies noted activity of three groups attacking financial institutions — already familiar Silence and Cobalt and also the group aimed at the Russian banks. Malefactors sent harmful documents with macroes allegedly on behalf of FINTSERT and also through the compromised account of the employee of Alfa-Capital company. Despite similarity of both attacks with activity of the Treasure Hunters group, in a traffic analysis result experts drew conclusions on appearance of one more group of cybercriminals.

According to the experts Positive Technologies, social engineering in the IV quarter was used in every third attack.

The phishing to the staff of the company victim became already fulfilled scheme of malefactors within the purposeful attacks — the director of Expert center of security Positive Technologies Alexey Novikov noted. — So, in November our specialists detected a harmful investment in e-mails which allowed the malefactor to take the image from webcams, to write a sound, to do screen screenshots, to copy files from media devices. Criminals dexterously drew attention of addressees with a bright subject of the letter and the blurred image of the opening file on which looked through the coat of arms — so that the document had to cause trust and desire to get acquainted with it, having turned on a necessary script. While the victim saw the document stub on the screen, on the computer is imperceptible for the user the Higher Professional Education for remote control of Treasure Hunter which collected information on a system was established, sent it to a remote command server and accepted commands from it.

According to the head of the analytical department of cybersecurity of Positive Technologies Evgeny Gnedin, e-mails are often sent in the marketing purposes and contain buttons invitations for transition to the website.

We remind that before clicking such button in the letter it is necessary to pay attention addressed to the sender and also to the link where transition after clicking will be performed — Evgeny says.

Three quarters of leaks from the transport sphere have deliberate character

On February 11, 2019 the analytical center of InfoWatch company reported basic data on leaks from the enterprises of the sphere of transport: companies carriers, airports, stations, sea and river ports, carsharing companies.

The number of leaks in this industry segment in 2018 in comparison with 2017 was reduced by 6%, at the same time 75% more the compromised records of personal data are registered. From 55% the share of deliberate leaks grew to 76%. At the same time the share of deliberate leaks because of heads and employees was almost tripled: if in 2017 deliberate character only 18% of internal leaks, then in 2018 already had 50%. Significantly also the structure of the compromised data changed. Let's note that in 2018 the share of personal data grew from 71 to 79%, and a share of a know-how and commercial secrets from 3.5% to 14%.

The majority of leaks in the field of transport were the share of airlines and the airports. In 2018 the largest incident happened on the Asian continent. The Hong Kong airline Cathay Pacific (the 6th place in the world ranking of air carriers) reported that hackers managed to kidnap the given more than 9 million passengers: names, dates of birth, phone numbers, e-mail addresses, passport data. In particular, more than 860 thousand passport data are compromised.

The British Airways company notified the public that stolen there were payment and personal data of those clients who booked tickets on the official site and through the application during the period from August 21 to September 5, 2018. In the beginning the airline announced date leak of 380 thousand passengers, but found out later that an incident mentioned personal information of 185 thousand more human. The cyberpolice of Ukraine exposed the hacker on whose computer the complete database of one of the international transport companies is found. Affirms that the base contains personal data more than 120 thousand human. The Indian airline low-cost airline GoAir filed a lawsuit against the former managing director Wolfgang Prock-Schauer, having accused him of plunder of confidential information. Prock-Schauer in February, 2018 headed competitors of GoAir – the Indian airline IndiGo. Lawyers of GoAir submitted a number of documents in court, claiming that the former top manager stole the data representing a trade secret before passing to other work.

More than 5 thousand leaks because of actions of insiders are recorded

On December 28, 2018 the analytical center of InfoWatch company provided results of a global research of leakages of confidential data which happened because of actions of the internal violator in the organizations for the last five years. During this time in the world more than five thousand date leaks because of actions of insiders were recorded: staff of the organizations, top managers, contractors. Nearly two thirds of such "internal" leaks were accidental, as a result of more than 95% of all victims because of actions of employees of data writings were compromised by negligence, ignorance of rules of treatment of information or because of failure in data processing systems. From 2014 to 2018 for benefit of "internal" in comparison with "external" incidents of cybersecurity the ratio of power of leaks — the volume of the compromised data writings counting on one leak significantly changed.

The volume of the compromised data writings counting on one leak
Inadvertent leaks

Non-management employees throughout all studied period were the most "problem" link in an information security system of the organizations — about 80% of the total number of "internal" leaks on average fell to the share of the unprivileged user annually.

Distribution of "internal" leaks by responsible
Picture of modern 'internal' leaks approximately is as follows: it is a compromise of huge amounts of data because of errors of the legitimate user or failures of automated systems of processing. There are all bases to believe that the leaks made because of insiders are not less dangerous, than the hacker attacks. It is connected with increase in the amounts of data processed in the companies, growth of number of channels of communication and also increase in liquidity of data. Among the incidents of information security attracting a compromise of data, internal leaks remain the most difficult a link and require special attention from information security specialists. The hybrid model of protection when the attention of the security officer is concentrated both on data security, and on behavior of the user performing data processing becomes the most effective for the organizations. The last task can be solved, for example, using technologies of predictive analytics.
Sergey Hayruk, analyst of InfoWatch Group

In five years' distribution of "internal" leaks by types of the compromised data the most part of incidents are the share of personal data (PDN). At the same time, in dynamics for the last five years the share of PDN and financial data in the general selection decreases, at the same time the share of leaks of the most critical information — a state secret, a trade secret, know-how and a know-how significantly grows.

"Internal" leaks on types of the compromised data

In terms of intention for the studied period the share of the leakages of the most critical data types made intentionally — the state and trade secret and a know-how while leakages of the prevailing data type — PDN and payment information — even more often resulted from inadvertent actions of personnel also increased.

Distribution of leaks by intention and data type
Accidental leak is a direct financial threat to business as flows away as imparted, important personal information — personal and payment data. The companies process more and more data, human errors during the work with information are all more expensive, and not only figuratively — the compromise of noticeable amount of data without fail leads to large fines and payment of compensation by the victim. Deliberate information leaks happen much less often, but they can concern the most liquid data as internal malefactors have direct access to the most sensitive corporate information, know-how and know-how, and they have time and possibilities for preparation and a bypass of the systems of protection.
Sergey Hayruk, analyst of InfoWatch Group

As authors of a research note, the leaks made by negligence happen most often in the organizations of those industries where pay not enough attention to questions of digital literacy, and the direction of information security is improved more slowly. For the last few years the majority of accidental leakages of PDN happened in the field of medicine, education, the government and law enforcement agencies.

Distribution of accidental leakages of PDN by the industries

Accidental leaks, as a rule, happen through widespread channels of communication, such as Internet resources, including because of incorrect settings of cloud storages and shibok at the publication of data on the websites of the companies and departments, e-mail and paper documents.

Distribution of accidental leaks by channels of communication

Deliberate leaks most often happen in the organizations of those industries where data are most liquid - it is the organizations of the financial sector, industrial enterprises, the companies of the sphere of ICT and state structure. Malefactors who want to steal information from the employer, as a rule, avoid controlled communication channels — only 10% of the total number of "internal" leaks via the network channel had deliberate character. Most often internal violators take out documents, valuable to the organization, on removable mediums or announce loss or theft of the corporate equipment.

Distribution of accidental leakages of a trade secret and know-how by the industries

In 2017 on a share of privileged users — top management and system administrators, 8.5% of all deliberate 'internal' leaks were necessary. Bosses and other persons with unlimited access to data assets of the companies much more more often than non-management employees, allow deliberate leaks. In five years on average from 40% to 75% of the leaks provoked by privileged users had deliberate character.

Share of deliberate leaks depending on the user's type

Besides, among exclusive employees it is traditional above, than among ordinary personnel, a share of the "qualified" date leaks which are integrated to fraud and an illegal information access.

Share of the "qualified" leaks depending on the user's type

In the first half of the year 2018 1039 cases of date leak are recorded

On September 21, 2018 analytical center of InfoWatch company provided results of a global research of leaks of confidential information in the first half of the year 2018. In total for the studied period 1039 cases of leak of confidential information were registered that is 12% more, than the previous year. In particular, information volume, compromised because of hacker and other attacks under the influence of the external violator, decreased ten times, having been only about 0.5 billion records. At the same time as a result of violations in the organizations more than 1.5 billion data writings, including personal and payment suffered.

Total number of leaks for the first half of the year 2006-2018
The picture of leaks changes, to the forefront there are incidents with participation of insiders. Malefactors do not aim to take control of data just for the sake of data any more — in a non-aggregated type their cost is minimum. However knowledge which can be taken from these data with the help of modern technologies are of great value. The organizations generally operate with large volumes of structured data, aim to enlarge information warehouses. Results of our research show that the greatest risk of a compromise of information is connected with deliberate leaks, influence from within. Inadvertent leaks most often are automatically fixed by a system, but in a case with deliberate actions of the insider who locates a sufficient technology and temporary resource, it is more difficult to prevent date leak.
Sergey Hayruk, analyst of InfoWatch Group

Quantitatively two thirds of cases of information leak in the first half of 2018 — 651 incidents were the share of internal violators. Because of the external malefactor there were 358 leaks.

Share of deliberate leaks from the total number of leaks on the industries

In a number of the industries, such as banking sector and industry, 60% and more personal data leakages had deliberate character.

For the studied period 15 information leaks more than one million records, and 21 more mega-leak, more than 10 mlnzapisy are recorded. 2.3 billion records or 97% of total volume stolen in the world were the share of mega-leaks.

Channels of leaks

Still in the world the network channel of date leaks (70%) prevails. Through network difficult deliberate attacks which attract the greatest damage to the organizations, on a share of controlled channels of communication, such as mail services and paper carriers most often are implemented, the small percent of deliberate leaks — a little more than 10% is necessary. Accidental leaks for which commission special preparation is not necessary happen on different channels — along with network channels, the big share of leaks through paper carriers, e-mail is here too recorded and at loss or theft of the equipment.

Responsible for leaks

In distribution of categories by responsible for leaks non-management employees — 56% while on a share of privileged users — heads and system administrators, about 4% of incidents are necessary prevail. Even more than 3% of leaks were the share of contractors, 38% for malefactors, external in relation to the organization.

Distribution of leaks by information types

The most part of volume of leaks, as well as the previous year, the most sensitive information — personal and payment data — 90% of incidents makes.

Distribution of leaks by character

Still in distribution by character "unqualified" leaks which are not integrated to exceeding of access rights to information systems or use of data for the purpose of fraud prevail. The cumulative share of the "qualified" leaks in the first half of the year 2018 does not exceed 15%.

Distribution of leaks by the industries

The greatest number of leaks happened in the hi-tech companies (21.3%), medical institutions (19.5%) and state agencies (13%). On volume most of all records were compromised in spheres where the liquidity of data with which the personnel work is extremely high: in the sector of high technologies, including Internet services and large portals (25.6%), in state bodies (13%) and municipal authorities (20%).

InfoWatch: Every second case of theft of corporate data is connected with their transfer to the third parties

According to data of analytical center of InfoWatch company, in 2017 more than a half of incidents in the field of security of corporate information were connected with illegal copying of corporate information and transfer to her third parties — including to competitors of the company. Such data were obtained according to the results of a global research of the public incidents of security connected with destructive actions of the leaving or dismissed employee concerning the employer, reported on July 17, 2018 in InfoWatch.

The employee who made the decision on leaving the company often tries to exploit information of the company — the analyst of InfoWatch Group Sergey Hayruk noted. — It always has negative effects in the form of material damage and reputation losses. The direct loss to the companies employers as a result of destructive actions of the leaving or dismissed employees is recorded more than in 50% of the studied incidents.

According to authors of a research, the special danger by preparation for dismissal is constituted by actions of disloyal employees from among privileged users. Top managers, heads of departments and system administrators have access to a broad spectrum of corporate data to which the trade secret and production know-how belongs, for example, they well know business processes of the enterprise and can apply this knowledge, doing the maximum harm to the former employer.

In 2017 privileged users became the reason of 19% of the violations connected with a compromise of corporate data, more than 80% of cases occurred because of non-management employees. Most often at theft of corporate information by personnel the motive of personal benefit or work for competitors while heads in most cases go for violations out of revenge moves or are guided by other not mercenary motives.

More than a quarter of the violations which entailed damage to the employer were made by employees less than one week prior to dismissal — 28.6% of cases were the share of this time frame. About another 20% of violations happened several weeks prior to leaving. In most cases — 52.4% of incidents — destructive actions concerning the employer the employee made more than a month before the planned dismissal.

Approximately in every second case the departing employee took away with himself or browsed databases with personal information of colleagues, clients or partners. A third of the studied incidents was connected with theft from the company of commercial secrets and a know-how.

The greatest number of cases of destructive actions of personnel at dismissal is recorded in organizations of the medical sphere (27.8%) and the organizations of public sector (19.4%). Most less often departing employees abducted information of the enterprises of the sphere of trade (2.8%) and a transport complex (2.8%).

More than 60% of cases of unauthorized use of corporate information by preparation by the employee for dismissal were made in the companies with the number of staff from 100 to 500 people.

The behavior model of personnel when using corporate information resources does not give in to the analysis using the traditional systems of protection which do not consider subjective factors, cannot predict departure of the employee from the company and the risks connected with it — Sergey Hayruk added. — However means of predictive analytics which use the database of the company, including information flows develop, and thanks to artificial intelligence technologies and machine learning learned to process and analyze the Big Data which are saved up by the company. These tools are capable to foresee behavior of personnel with a fine precision, for example, beforehand to define employees who intend to leave the company and to prevent personnel and financial risks for the enterprises.



The volume of information compromised in Retail & HoReCa exceeded 100 million data writings

On November 29, 2018 InfoWatch provided results of a global research of leaks of confidential information in the companies of the sphere of retail, hotel business and public catering (Retail & HoReCa). Experts of Analytical center studied more than 300 cases of date leaks from the enterprises of the industry which happened in 2016-2017. Volume compromised in the industry of Retail & HoReCa of information for the studied period exceeded 100 million data writings, at the same time in 2017 there was a sharp growth of number of the incidents connected with leak of payment information — up to 60% against 40% the previous year. It is the highest rate of a share of leaks of financial data among all industries in world distribution.

Share of leaks of payment data
Share of leaks of payment data in a segment of key consumer services – retail, hotel business and public catering – even above, than in the organizations of the financial and credit sphere which traditionally was considered as the main target for thieves of sensitive information. Sharp growth of leaks of payment data in retail is connected with the fact that the industry is in an active phase of digital transformation when other payment methods and customer interactions, and information volumes which are processed in retail chain stores, hotels, restaurants and cafe are implemented, promptly increase. Integration of storages of such data increases interest in them from malefactors.
Sergey Hayruk, analyst of InfoWatch Group

55% of incidents in the studied industry in the world were integrated to the external attacks which in 70% of cases led to leak of payment data. Because of insiders there were 45% of the total number of incidents, from them about a half were connected with leakage of financial information. At the same time the most sensitive information — a trade secret and a know-how — flowed away because of actions of staff of the organizations of the sphere Retail & HoReCa five times more often than because of malefactors, external in relation to these organizations.

Leaks on information type

The considerable share of incidents in the field of Retail & HoReCa in 2017 fell on deliberate leaks — 65% of the cases recorded in the world.

Leaks on intention

At the same time based on a research, approximately every tenth date leak from the organizations of spheres of retail, hotel and restaurant business in the world is recognized "qualified", i.e. integrated to fraudulent activity on the basis of data or receiving an illegitimate information access for the purpose of obtaining personal benefit.

Types of incidents

Nearly three quarters of incidents in the world in the enterprises of the sphere Retail & HoReCa fell on the network canal, in such cases data were compromised via the browser or a cloud resource.

Channels of leaks
Attacks to the organizations of the industry of retail, hotel and restaurant business are made from external and internal malefactors practically with an identical frequency, and in both cases the most sensitive data generally suffer. External malefactors most often aim at the most liquid payment information which can be received by rather simple methods, for example, using phishing letters, a skimming or the websites counterfeits. Insiders have access to the most valuable internal information and, as a rule, have sufficient temporary and technical resources for preparation and a bypass of complex systems of data protection in the organizations. Therefore internal malefactors are dangerous to the most critical business information where in addition to financial and personal data, the trade secret and a know-how of the enterprise also enters.
Sergey Hayruk, analyst of InfoWatch Group

The share of Russia in universal selection of leaks of the organizations of spheres of retail, hotel and restaurant business made about 10%. All incidents in the studied industry which were recorded in our country took place because of internal violators. 42% of cases fell to the share of deliberate leaks. At the same time in Russia, in comparison with world selection, the share accidental and four times — the qualified leaks is twice higher. According to authors of a research, the big share of accidental leaks can be connected with rather low level of digital literacy and cyberhygiene of both users, and suppliers of goods and services in the field of HoReCa, at the same time the considerable share of the qualified leaks testifies to insufficiency of the current measures and level of protection. Besides, experts noted, process of digitalization of the Russian retail still is in a formation stage, so, in half of cases theft of corporate data was performed by means of paper carriers.

The global volume of information leaks increased four times

Volume compromised in the world as a result of leakages of data writings, including social security numbers, details of plastic cards and other crucial information, in 2017 grew in comparison with previous year more than four times - from 3.1 billion to 13.3 billion records. In total in a year in world media and other open sources 2131 cases of date leak from the organizations were recorded — it is 37% more, than in 2016, follows from data of the research InfoWatch.

About 13 billion records or nearly 99% of total volume of data stolen in the world, fell on 39 mega-leaks from 10 million records everyone. In comparison with 2016 the number of such leaks in the world was reduced by 12%, at the same time the volume of the compromised records counting on one mega-leak increased almost five times to 336 million records.

"Growth of volume of the compromised data writings and increase in "power" of leaks exceeded all most courageous forecasts that is in many respects connected with change of approach to storage and data processing. If earlier customer information, employees, citizens was stored and processed separately, in branches and divisions of the organizations, then with development of technologies of the state and company aim to provide the centralized collection of information that it is the most effective to use opportunities and computing powers for extraction of new knowledge from data bulks", - the analyst of InfoWatch Hayruk Sergey noted.

The share of mega-leaks which were caused by actions of internal violators increased up to 54% in 2017, the previous year this indicator was at the level of 13%. Internal violations became the reason about 60% of all cases of leaks. The most part from them had on non-management employees — about 53% of cases that is 10 items higher, than in 2016. Because of privileged users whom treat top management, heads of divisions and also system administrators there were about 3% of cases of leaks. External malefactors became the reason of 41.7% of leaks. At the same time on the nature of incidents about 83% of cases fell on unqualified leaks which were not integrated to exceeding of access rights or use of data for the purpose of fraud.

86% of leaks were connected with theft of personal data and financial information, however their share decreased by 7 items in comparison with 2016. At the same time the share of leaks of payment data in a year increased by 13.8 items, having exceeded 20% in the general distribution.

For the 1st half-year 7.78 billion records with personal and payment information are compromised

On October 10, 2017 it became known of the 8-fold growth of volume of leaks of confidential information in the world. And almost all data were compromised as a result of 20 large-scale incidents.

According to the InfoWatch company specializing in information security in the first half of 2017 there was a leakage of 7.78 billion records to personal and payment information on a global scale against 1.06 billion records according to the results of the same period of previous year. Besides, it is twice more than number of data which fell into hands of the third parties for all 2016 (3 billion records).

The volume of date leaks in the world increased by 8 times

98% of data were lost as a result of large incidents which InfoWatch calls "megaleaks" when more than 10 million records of confidential data were at disposal of the third parties. In total in the company recorded 20 such cases.

The universal trend on increase in number of leaks and volumes of the compromised data, according to us, is set not by(with) features of certain regions, but new opportunities which are connected with use of information in the digital world, such as transfer of services to an electronic form, e-commerce, electronic money, objects of the exclusive rights (intellectual property) in a digital form, said in the research InfoWatch.

For the first half of the year 2017 there were 925 leakages of confidential data that is 10% more, than for the same period of 2016. 384 such incidents occurred because of external intervention (in particular, because of hackers). Internal violations (for example, because of the staff of the companies) became the reason of 520 more leaks. The reason of 21 more leak did not manage to be set.

The Gemalto index for the 1st half-year: 918 leaks compromised 1.9 billion records

In the first half of 2017 of 918 leaks led to the fact that 1.9 billion records were compromised worldwide. In comparison with the second half of the year 2016 the number of the lost, stolen or compromised records increased by 164% − this number cannot but shock. The most part of data was stolen owing to the most large-scale leaks numbering 22 cases, each of which brought to more than to one million compromised data writings. From 918 leaks more than in 500 cases (59% of all precedents) the number of the compromised records remained to unknown or was not [1].

According to Breach Level Index, since 2013 was promulgated more than 9 billion data writings from the moment of the beginning of assessment of the published date leaks by means of the index. For the first half of the year 2017 more than ten million records daily, or hundred twenty two records every second, including medical data, financial data and/or data of credit cards and also identification personal data were compromised or subject to this risk. It especially guards as less than 1% stolen, lost or the compromised data used the protection using enciphering allowing to turn them into useless information, and this indicator decreased by 4% in comparison with the second half of the year 2016.

Main sources of date leaks

The most part of date leaks (74%) reflecting growth of cases by 23% happened owing to malicious actions. However this source recorded only 13% all stolen, lost or the compromised data writings. The internal attacks of malefactors make only 8% of all leaks, and the number of the compromised records from 500 thousand increased to 20 million that exceeds an indicator of last half-year more than for 4.114%.

The predominating types of date leaks

For the first half of the year 2017 identity theft which made 74% of all leaks that is 49% more, than last half-year was the main type of leaks. The number of the compromised data as a result of identity theft increased by 255%. The most significant changes occurred in category of annoying leaks which are 81% all lost, stolen or the compromised records. However the quantity of the recorded cases of such annoying attacks is only a little more than 1% of all leaks. The number of the compromised data as a result of attacks on access to accounts decreased by 46% that occurred after significant growth, according to the annual report of Breach Level Index for 2016.

The largest enterprises affected by date leaks

At most the enterprises traced by the Index of criticality of date leaks, the number of the compromised, stolen or lost data writings increased more than by 100%. In the field of education one of the greatest indicators of growth of leaks (103%) with increase in number of the compromised records more than for 4.000% was recorded. It is result of the internal attacks of malefactors which compromised millions of records in one of the largest private educational companies of China. In the field of health care rather similar indicator of date leaks in comparison with the second half of the year 2016 was observed, but the number of the stolen, compromised or lost records increased and was 423%. Among five objects, the most affected by large-scale date leaks for the first half of the year, there are National medical authorities of Great Britain where the number of the compromised records exceeds 26 million. In the financial sphere, the government sector and the sphere of entertainments significant increase in number of leakages of data writings was also observed. For the first half of the year 2017 in the field of entertainments 220% more cases of leakages of data writings were recorded.

Geographical distribution of date leaks

North America still remains the leader in a total quantity of date leaks and the compromised records, both these indicators exceed 86%. The number of date leaks in North America increased by 23%, and the number of the compromised records promptly grows, having increased by 201%. Traditionally in North America always fixed the greatest number of the published leaks and corresponding records, however this situation will change in 2018 when global regulatory legal acts about data protection, such as "General regulations on data protection in the EU" (European General Data Protection Regulation, GDPR) and amendments to the law on non-proliferation of confidential information of Australia come into force (Australia’s Privacy Amendment Act (the registered date leaks). At the moment in Europe only 49 date leaks (5% of a total quantity) were recorded that is 35% less in comparison with the same period of last half-year.


More than 2 billion records PDN flowed away from the hi-tech companies

The analytical center InfoWatch at the end of November, 2017 published results of a research of date leaks from the organizations of the sphere of high technologies. The number of such leaks in the world for 2016 increased approximately by a third, and the volume of the compromised information increased more than by eight times. Nearly three quarters of all data compromised in the world — about 2.3 billion records of which 87% made personal data (PDN) of citizens fell to the share of the hi-tech companies.

We observe growth of number of leaks and volume of the compromised data of the hi-tech companies for which information, including client is, as a rule, a key asset therefore any leak is very sensitive for business — the analyst of InfoWatch Group Sergey Hayruk noted. — In 2016 data of hundreds of millions of users of such popular resources as Facebook, Foursquare, GitHub, iCloud, LinkedIn, MySpace, Snapchat, Telegram, Tumblr and Twitter were stolen. Hackers with success attacked the largest mail services — Gmail, Hotmail, Yahoo,, abducted data of clients of telecommunication companies, including Deutsche Telekom, Three UK, Verizon and other operators.

Compromise more than 95% of data in the field of high technologies in 2016 31 "mega-leak" with damage caused more than 10 million records everyone. In structure of leaks the volume of affected PDN of citizens significantly increased, shares of payment information, a trade secret and a know-how were reduced.

Despite growth of number of leaks because of the external violator, cases of leaks in the companies of a hi-tech segment are also very dangerous. So, the number of leaks because of the external malefactor in the field of high technologies increased in a year almost by 15% while change in distribution of damage depending on a vector of influence is minimum.

In 2016 in the organizations of the sphere of high technologies the number of cases of deliberate information leaks and also a share of the qualified leaks which are connected with fraud or exceeding of access rights increased.

Aggregating large volumes of user data, players of IT market willingly use technologies of the analysis of the structured and unstructured information — Big Data and other means which technology level and functionality significantly grew — Sergey Hayruk explained. — But in process of increase in volumes of the generated, processed and stored information also risks of the external attacks on corporate resources increase. Along with it influence of internal violators grows, so, not only means of protecting from hackers, but also the modern multifunction DLP systems for information loss prevention are required for the IT companies. Due to growth of number of the qualified leaks it is necessary to think also of inclusion in an arsenal of protection of the UBA functions — behavioural user analysis.

A third of leaks in the Middle East is connected with commercial or state secret

The analytical center InfoWatch published on November 16, 2017 results of a research of leaks of confidential information from the organizations in the countries of the Middle East in nine months 2017. Messages about a compromise of data of commercial and non-profit organizations and also state bodies which were published in media and other open sources got to focus of a research.

In most cases leaks of confidential information in the countries of the Middle East happened owing to the external attacks. If in universal selection they became the reason of 40% of cases of a compromise of data, then in the explored region 80% of incidents fell to the share of the external attacks.

At the same time an internal violator often was the privileged user — the system administrator or other technical employee with expanded access rights to information. Nearly 12% of cases of leaks of confidential information fell to the share of such malefactor in the countries of the Middle East, in universal selection this digit made only 1%.

Distribution of leaks by types of the compromised data and the affected industries in the countries of the Middle East also differs from universal trends. Every fourth case of leak in the explored region concerned information connected with a trade secret (know-how) while in the world this indicator did not exceed 3%. 12.5% of cases fell to the share of leakages of the state secret, on universal selection the number of similar incidents did not reach also 4%.

A half of all date leaks in the Middle East fell on the organizations of the financial sector and industry. In the world this indicator did not exceed 16%.

As well as around the world, the web browser and cloud storages were the most popular channels of date leaks in the explored region — 82% of cases were the share of them. The second most popular channel of information leaks — removable mediums. Other incidents are connected with theft and loss of the equipment, paper documents or date leak via e-mail. In universal selection on leaks of confidential information via the browser and cloud storages 61% of incidents, via e-mail — 23% of cases, fell on theft of paper documents — 8% of leaks.

InfoWatch: For 2016 3 billion records PDN are compromised

According to analytical center InfoWatch, in 2016 93% of information leaks in the world were connected with a compromise of personal data (PDN) and payment information. In total for 2016 in the world more than 3 billion records PDN were compromised that exceeds a similar indicator three times for 2015.[2]


According to the international information security experts, users lost control over the data long ago. At the same time, extremely low level of civil culture of the address with personal information remains one of the main factors which causes a problem of leakages of PDN still.

The Gemalto index in a year: 1792 incidents compromised 1.4 billion records (+86%)

In 2016 in the world 1792 incidents which led 1.4 billion data writings to a compromise that is 86% higher in comparison with 2015 were recorded. Besides, it is noted that plunder of personal data became the most widespread type of leaks. In 2016 – 59% of all recorded incidents fell to the share of such attacks. Besides, in 52% of cases at the publication of information on leak in 2016 the companies did not announce quantity compromised [3][4][5] ].

As a result of an attack to base of credentials of users of AdultFriend Finder 400 million records were compromised, and an incident got the maximum point (10) in the Index of criticality of leaks. Among other large leaks recorded in 2016 – an attack to Fling (BLI: 9.8), leak in election commission on Philippines (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6). Actually, more than a half of all compromised data writings fell to the share of 10 largest and large-scale leaks. In 2016 the Internet giant Altaba (before Yahoo) announced two large leaks as a result of which 1.5 billion accounts of users were compromised, but these leaks were not included into the BLI index for 2016 as incidents were dated 2013 and 2014.

In Russia among all date leaks, it is possible to select several most significant. The largest among them is an attack to base of the credentials (BLI: 9.0), during which more than 25 million records were compromised. Data included user names, the email addresses, the ciphered passwords and dates of birth, in certain cases malefactors also managed to learn the IP addresses of users and their phone numbers. Among other leaks recorded in 2016 in the territory of the Russian Federation – an attack on the multiportal (BLI: 8.1) and the company on Nival software development (BLI: 8.1). The share of kidnapped persons of data in both cases makes more than 1.5 million accounts.

Date leaks on type

In 2016 plunder of personal data became the most widespread type of incidents – 59% of all date leaks fell to the share of such attacks that is 5% higher, than in 2015. Leakages of accounts of users became the second in prevalence type of date leaks in 2016. Though the number of leaks of this kind was reduced by 3%, 54% of all compromised records fell to their share that is 336% higher in comparison with last year. It demonstrates to a new trend when malefactors are reoriented from the attacks for the purpose of receiving financial information on attacks on large databases with large volumes of identification and personal data. The category of the insignificant attacks (nuisance category), the number of incidents in which increased by 102%, became one more widespread type of incidents, but to the share of which 18% of all compromised data writings fall that is 1474% higher in comparison with 2015.

Date leaks on a source

The greatest number of leaks was organized by the malefactors acting from the outside of the organizations – 68% of all incidents fell to the share of such attacks that is 13% higher, than in 2015. The number of the compromised data writings as a result of actions of third-party malefactors increased by 286% in comparison with 2015. The number of the date leaks organized by hackers activists also increased in 2016 – by 31%, but only 3% of all incidents recorded last year fall to their share.

Date leaks on the industry

By the industries the largest growth of number of leaks in 2016 fell on the technology sector. The number of incidents grew by 55%, but nevertheless only 11% of all leaks for the last year fell to their share. Nearly 80% of all incidents in this sector are connected with plunder of accounts and personal data. Besides, 28% of all compromised data writings in 2016 fall to their share that is 278% higher, than in 2015.

28% of all date leaks were the share of the enterprises of the industry of health care that is 11% higher, than in 2015. However the number of the compromised data writings in this industry decreased by 75% in comparison with 2015. In the sector of education the number of date leaks in a year decreased by 5%, and the number of the compromised data writings dropped by 78%. 15% of all date leaks in 2016 fell to the share of public institutions. However the number of the compromised data writings grew by 27% in comparison with 2015. 12% of all date leaks fell to the share of the companies of the financial sector that is 23% lower in comparison with last year.

13% of all date leaks and 36% of the compromised data writings fell to the share of other industries. In this category the total quantity of date leaks decreased by 29%, however the number of the compromised records grew by the whole 300% in comparison with 2015. At the same time the majority of date leaks were the share of social networks and the websites of the companies from the industry of entertainments.

In 2016 the number of the incidents mentioning in whole or in part the ciphered data was 4.2% of the total number of incidents whereas in 2015 this digit made only 4%. Regarding these leaks ciphered was only the password, and other information was not ciphered. However from nearly 1.4 billion compromised, lost or the stolen data writings in 2016 only 6% in whole or in part were ciphered (in comparison with 2% in 2015).

InfoWatch registered 1556 cases of leaks in the world

Based on a global research of leaks of confidential information in 2016 by Analytical center InfoWatch it was recorded 1556 [6] of date leaks from the organizations — is 3.4% more, than in 2015. From the traditional three of the countries with the greatest number of leaks, the significant splash was observed only in Russia where 213 leaks of confidential information — 80% more were registered, than the previous year. On number of the leaks registered by analytical center InfoWatch, Russia is between the USA and Great Britain where the number of leaks remained approximately at the same level, as in 2015 — 838 and 67 leaks respectively.

In global structure of the compromised information data on users prevail: 93% of leaks were connected with theft of personal data (PDN) and payment information.

For the studied period in the world more than three billion records PDN — three times more, than in 2015 were compromised. Also more than three times, to two million, the median number of the records stolen as a result of one leak grew.

The most part of the stolen personal data, namely 94.6%, fell on 44 "mega-leaks", as a result of each of which not less than 10 million records PDN "flowed away". In 2016 the number of "mega-leaks" grew more than twice. 79 leaks more than one million records everyone are recorded.

In 2016 in the world the quantity of personal data leakages increased by 4 times in comparison with last year and was nearly 3.1 billion records.

In 2016 in the world experts recorded growth of cases of a personal data leakage by 300% in comparison with previous year. The number of the stolen records was 3.1 billion.

The number of leaks which we managed to collect grew slightly. But very much the number of the flowed-away records of personal data — considerably grew by 300% growth. 3.1 billion records were lost last year because of personal data leakages". So, in 2016 44 "megaleaks" as a result of which more than 10 million records were stolen were recorded, in 2015 such cases was twice less.

According to Natalya Kasperskaya, cybercriminals steal data arrays in order that it is profitable to sell them. Also she noted that recently the trend – increase in number of leaks as a result of external cyber attacks is observed.

The number of accidental date leaks increased

On December 13, 2016 the analytical center InfoWatch provided results of a comparative research of date leaks in the organizations. The research included leaks from 2013 to 2015, certain how actions of internal violators.

Analysts noted growth of a share of date leaks in the studied period on 34 percent points (items) - to 79.7%, as a result of accidental actions of employees. In 2013 the bulk of sensitive data which personal data (PDN) concern, payment information, the state and trade secret and also know-how, was compromised in the organizations as a result of commission of deliberate leaks. In 2014-2015 the most part of losses of information, critical for business, happened owing to inadvertent actions of employees.

Distribution of "internal" leaks by intention and data type, 2013 - 2015, (2016)
Distribution of "internal" leaks by intention and data type, 2013 - 2015, (2016)

In comparison with 2013, during the studied period in structure of internal leaks the share of payment information increased — more than by eight items, a trade secret — more than by five items, at the same time more than the share of leakages of PDN decreased by 10 items.

Distribution of "internal" leaks by data type, 2013 - 2015, (2016)
For last three years "internal" leaks did not become less dangerous, but their nature changed. It is connected with increase in the amounts of data processed in the companies, growth of number of channels and methods of transfer and also the increased liquidity of data. The most part of leaks happens because of human errors. Any data, including the most critical and sensitive can be as a result compromised, and the extent of the caused damage is limited only to the volume of the stored information. For risk minimization, connected with information security, it is necessary to provide blocking of accidental leaks, control of employees as in "a risk zone" where employees with special access rights, beginners or once "guilty", and out of it belong.

In 2015 the share of internal date leaks from the total number of the known cases of leaks of confidential information made 65% and 72.8% the previous year. Average amount of data, compromised as a result of each internal leak, reached 347 thousand and 340 thousand records in 2014 and 2015, respectively. Authors of a research noted decrease in a share of the information leaks which happened because of "exclusive" users including heads and system administrators of the organization more than on nine items. Their wrongful acts still lead to much more serious effects, than actions of non-management employees.

During the period from 2013 to 2015 the share of accidental date leaks via e-mail, paper and removable mediums decreased, and the share of leaks by means of network channels, the Internet increased. As a result of accidental leaks via the network channel in 2015 295 million records, categories PDN and financial information are compromised ~, the number of such records in 2013 and 2014 reached ~ 97.9 million and ~ 118.2 million respectively.

Global research of leaks of confidential information in the I half-year 2016

InfoWatch Group announced in September, 2016 that growth of number of leaks of confidential information for the first six months 2016 was 16% in relation to the corresponding period of last year. Such data are provided by analytical center InfoWatch in the report on results of "A global research of leaks of confidential information in the I half-year 2016". For the studied period more than 1 billion records of personal data (PDN) — more, than for all 2015 were compromised. Thus, the annual average value of number of the stolen records PDN exceeds a similar indicator of 2015[7] twice[8].

The greatest number of information leaks was recorded in the USA: 451 cases, or 54% of all happened leaks. Russia with 110 date leaks traditionally takes the second place, saving it more than three years. Further there is Great Britain where 39 leaks were revealed. In total for January-June, 2016 experts of analytical center InfoWatch register 840 cases of leaks of confidential information.

In two thirds of cases of date leak occurred because of internal violators. Only one third of all information leaks fell on the external attacks, but damages from them are still assessed above: on average about 2.4 million and 0.8 million compromised records PDN respectively were the share of each external and internal leak.

Besides, 23 "mega-leaks" of which 92% of all stolen records PDN were the share were recorded. The damage of each of them was more than 10 million PDN, 16 of 23 "mega-leaks" fell on the external attacks. Without "mega-leaks" the largest volume of records — more than 45 million PDN — was stolen from the companies of the hi-tech sector, including Internet services and web portals.

Experts of analytical center InfoWatch noted reduction of number of leaks using data transmission via the network channel though on this method, including sending via the browser and also cloud storages, still it is necessary to a half of all cases of date leak. The share of thefts of information on e-mail and on removable mediums increased. Shares of leaks as a result of theft/loss of the equipment and paper documents decreased. Least of all leaks happened to use of mobile devices.

In the first half of the year 2016 the organizations of the medical sphere where date leaks were fixed most often (23% of all leaks), the least vulnerable — municipal authorities (less than 3%) were the most vulnerable.

Most attractive to malefactors became the companies of the sphere of trade, the financial and banking sector. In them the share of deliberate leakages of PDN which demanded cracking of information security systems made 70% and more.

2010: InfoWatch: In the world for the 1st half-year there were 382 incidents

The InfoWatch company provided at the end of 2010 results of a research of leaks of confidential information for the first half of the year 2010 according to which for this period (181 days) 382 incidents were registered (2.1 leaks a day).

According to the report of 169 incidents from the total number of the registered incidents made deliberate leaks (44.2%), and 185 – accidental (48.4%). At the same time the number of deliberate leaks in comparison with the same period of last year was reduced by 11.7% that is connected with active implementation in the corporate sector of solutions for confidential information protection. Total number of the compromised records in the first half of 2010 was more than 539 million.

The number of accidental leaks in the first half of 2010 in comparison with the same period of 2009 increased by 9.4% (185 incidents against 161 leak in 2009). Analysts of InfoWatch connected this growth with the fact that still mobile information media (notebooks, a flash drives, mobile communicators, etc.) remain the most popular channel for accidental leaks as users of similar devices often neglect means of data encryption.

Paper carrier became other frequent reason of accidental leaks: it is more difficult to check it, than electronic. For example, after a release of the sheet from the printer it is possible to monitor it only "manually":

"Control of paper carriers is weaker than control of computer information. Many means of protecting from leaks (it is impossible to call them the full-fledged DLP systems) do not control information output channel on the printer – so confidential data easily go beyond the organization", – Fedotov Nikolay, the top analyst of InfoWatch company reported.

The multifunction DLP systems which block sending for printing of the unlawful information allowed to solve this problem and check compliance of the postal address and the addressee.

(73.8%) and state (16%) the organizations remained the main sources of leaks of confidential information in the first half of 2010 still commercial. About 8% of leaks come from educational institutions. The nature of the flowing-away confidential information – personal data (nearly 90% of all information leaks).

The USA and Great Britain (also the five of the countries on the greatest number of leaks included Canada, Russia and Germany with significantly lower indicators) were leaders in leaks in the world then that is connected with feature of the legislation of these countries ordering to announce all incidents of leakage of confidential data. Analysts of Infowatch predicted reduction of a share of accidental leaks and growth of a share of intentional next year.

Channels of potential date leak

Methods of work of malefactors

"Buying up" of data in regions

  • Interviewing of unfairly dismissed / offended
  • Financing of insiders
  • Digitization of paper carriers

Remote mobile access

  • Creation of the malware
  • Interception of useful traffic
  • Use of regular instruments of remote access

"Processing" of garbage

  • Data recovery

  • Collecting and resale of accidental, unformatted and/or irrelevant data

Unauthorized shooting

  • Recognition of pictures

  • Remote access to mobile devices
  • Cracking of social networks

Classical cracking

  • Search new and operation of the known vulnerabilities in software


As prevent leaks in Russia: research SearchInform

On February 1, 2017 the SearchInform company announced situation analysis results in the field of confidential information protection among the organizations of the Russian Federation in 2016.

Even more often data protection is charged to cybersecurity specialists – 42% of the Russian companies employ professionals for cybersecurity tasks. For comparison: in 2015 the indicator reached 22%. In other companies IT departments or heads are engaged in protection.

Most often cybersecurity departments are provided in the companies Orenburg (52%), [[Moscow|Moscow[[and Kazan (48%), Khabarovsk (47%).

Slightly more than a half (63%) of the staff of departments of information security have profile education. Most often professional staff employ the organizations: Irkutsk – 98%, Krasnodar – 95%, Orenburg – 86%, Omsk – 82% and Yekaterinburg – 71%. Most less often profile specialists can be met in the organizations of Ufa – 18%.

34% of the Russian companies do not protect the confidential data. The others are more vigilant and use different tools for protection against leaks:

Every day the number of channels via which there is information exchange grows. In 2016 the companies of Russia first of all protected e-mail, external carriers and documents sent to printing - this indicator grew by 3%. In other cases the attention to popular channels of communication decreased:

Part of the companies consider that the best method to avoid information leaks on certain channels – to prohibit them – so do 53% of the polled companies.

47% of the companies consider that prohibition of channels will not stop the insider, and leave all channels open, preferring control.

  • 46% of the companies do not notify employees on existence of control systems and protection.
  • 30% – report and suggest to sign the additional agreement.
  • 24% of the organizations inform workers, but do not sign any papers with them.

75% of the Russian companies instruct by rules of information security. Last year this indicator was 3% less.

86% of the Russian companies suggest the workers to sign the nondisclosure agreement of confidential data.

Data of InfoWatch

In 62% of cases internal violators in the organization became the reason of leak, at the same time it was precisely established that more than a third of cases of leaks occurred because of employees, privileged users, including heads, system administrators. The share of information leaks on the party of contract organizations made 6%.

Still date leaks via the network channel which share grew by 11.6 percent points (items) up to 69.5% prevail. Shares of leaks via removable mediums, mobile devices remained at the level of 2015. On seven percent points (items) up to 10.8% the share of information leaks on paper documents, was reduced to 4.8% twice — as a result of loss of the equipment and by 1.1 items up to 8.5% — by e-mail.

In 2016 distribution of leaks between averages (up to 500 PCs) and large (more than 500 PCs) the organizations turned out approximately equal both on number of leaks, and on the volume of the compromised data.

Most often date leaks came from the organizations of the medical sphere (25.8%), high technologies (14.9%), state agencies and security agencies (13.8%), and educational institutions (10.6%). Most rare — from municipal authorities (4.4%), the industry and transport (3.9%).

The largest volume of the compromised personal data fell on the organizations which systemically use personal information in the work: companies of the hi-tech sector (73.6%), trading companies, hotels and restaurants (11.9%). 9.9% of all stolen PDN were the share of state bodies and municipal authorities.

The most attractive to malefactors, as well as the previous year, were trading and transport companies to which in 2016 also financial institutions were added. In these industries more than a half of the leaks which were followed by theft of PDN had deliberate character.

Every fourth date leak in financial institutions happens because of the lost devices

The reason of every fourth date leak which happened in financial companies and banks of the USA for the last few years are the lost mobile devices, and only every fifth leak resulted from the hacker attack. 14% of incidents took place on randomness, and another 13% were caused by insiders. Loss of paper documents became the reason of a number of leaks also.

According to the The Register edition with reference to cybersecurity experts of Bitglass company, for the last decade over 60 organizations of the financial sector (including the largest banks) regularly became the victims of leaks. In 2015 financial companies faced 87 date leaks – 42 more, than in 2014. In the first half of 2016 already managed to announce 37 banks (5 of them enter the twenty of the largest banks of the USA) [9] leaks.

One of the largest financial institutions of the USA, JP Morgan Chase, since 2007 regularly faces information leaks. In 2014 the organization announced the most large-scale for all history of its existence to the attack which became the reason of date leak of 83 million clients of JP Morgan Chase.

The report of Bitglass is made on the basis of the data received since 2006 from open DB and government white papers.

Bank leaks: insiders, internal violators, paper

On June 8, 2016 analysts of InfoWatch announced growth of a share of bank leaks more than by 37 times, in the last two years: from 0.3% to 11.2%[10].

Office Lloyds Bank, (2014)

The most common cause of leak - action of the insider who initiates it. In Russia, at the same time, a situation with financial leaks one of the worst in the world: by their quantity the country takes the second place.

According to the conclusion of analysts of InfoWatch, about 45% of all leaks are the share of small banks - such share turns out if not to consider the largest leaks. Large banks received a big share in number of leaks, but small banks are not protected from problems.

In 2015 the largest players of financial market suffered from leaks: Bank of Scotland, Banque Cantonale de Geneve (BCGE), Citibank, Equifax, Federal Reserve Bank of New York, HSBC, JPMorgan Chase, Lloyds Bank, Morgan Stanley, PayPal, UniCredit, Wachovia Bank (Wells Fargo Bank) and some other.

At the end of 2015 Russia occupied the second the place on number of leaks in the financial sector, besides the share of bank leaks in the Russian Federation is more, than on average in the world: 16% against 8.6%.

In 73% of cases lost there were personal data of clients of the Russian banks. InfoWatch noted the probability of serious effects as a result of leaks of this kind: "only as a result of the incidents which became known for media over 22.5 million records of personal data flowed away".

In 70% of cases the so-called internal violator – one of the staff of banking organization became "enemy". It concerns, both the accidental, and thought-over thefts of personal data.

The most widespread way of leaks – sending data retrieveds through network services. Account numbers, data of balance, details of payment cards, personal data of clients and so on are so transferred payment information. 35.7% of all leaks were the share of this canal

"Network" leaks are characterized by the high level of criticality of data and huge volumes of the compromised information, analysts of the company researcher noted.

The second most popular channel of leaks – traditional paper. In 13.2% of cases the malefactor it is banal printed the stolen data and carried away them. Other 51.1% of leaks fell on less popular canals: theft or loss of the equipment, copying of data on removable mediums, etc.

In the banking sector growth not only leaks, but also incidents of information security in general is noted. In spite of the fact that the financial sector – one of the most regulated in terms of data protection, a situation remains difficult: abduct both money, and personal data, and payment information from banks. Now it is very important to banks to undertake the real measures directed to reduction of risk of information security: implement means of protecting, build the accompanying protective processes, provide timely control and response to the allowed incidents. And all these measures should be applied in a complex.

Maria Voronova, the leading expert on information security of InfoWatch company

According to Zecurion Analytics, on the third place among the industries, the most subject to leaks, banking sector. 12.9% of all leaks fall to the share of banks at the end of 2015. First place is won by state structures (17.9%), and the second – retailers (13.1%). At the same time among the compromised information types the share of financial data of natural persons almost twice grew: credit card numbers, money deposits, account transactions. The share of such data reached 19.1% of all incidents for last year. Other personal data, including the e-mail addresses and passport data, are still in the lead among information types which share of 58.2%.


Encoded mail, social networks and USB carriers

The most relevant channels of potential date leak became:

  • the encoded e-mail (including personal, on free services),
  • social networks and
  • USB carriers (USB sticks, external hard drives, etc.) (these researches of MFI Soft company, April, 2013).

Slightly less cybersecurity specialists worry for printers and Internet messengers (excepting Skype).

Image:каналы потенциальной утечки данных.jpg

When choosing the DLP systems (protection against information leaks) the most part of respondents pays special attention on the speed of receipt of notifications on violations of information security policy – according to specialists, a system should notify the operator in real time. Also note importance of simplicity of integration with other elements of information security (means of data encryption, firewall, etc.). The smallest priority cybersecurity specialists give possibilities of blocking of actions of the user, explaining it with concerns for reduction of speed and qualities of work and, as a result, to paralyzing of a system of protection.

When employees consider crows, or protection against carelessness

According to the statistics analysis department of Falcongaze company which is a system developer of information security of SecureTower for 2013, about 57% of all leakages of a confidential information from the companies happened because of employees. How many there was and how many still will be cases when the accountant, having been distracted by a conversation with the colleague, sends confidential financial documentation not to that interlocutor to Skype or when the employee of sales department by e-mail sends the customer base of data to the colleague – and is mistaken when entering the address? What occurs further, it is easy to provide: the employees who made an oversight, as a rule, do not hurry to announce an incident to the management while any delay in such situations can become pernicious for the company.

If in the organization a system for data protection is used, then in similar cases responsibles receive instant notifications on incidents and have an opportunity to timely take the necessary measures. Such tools in hands of specialists in information security give today the chance to control different communication channels in the company: e-mail, Skype, ICQ, social networks, chats and many others. They also allow to perform monitoring of the documents written by the staff of the company on USB sticks, external hard drives and printed on corporate printers.

Except carelessness, leaks of corporate information happen also because of malicious actions of employees. Today nobody is surprised by news of cases when former employees, leaving, carry away with themselves customer bases of data, the latest projects and developments of the company, personal data of colleagues and other confidential information. According to different data, it occurs on average in 34% of cases of the dismissals connected with leaks of corporate information.

Though it is practically not possible to define losses from date leak in a cash equivalent, the companies competing with each other strike the friend to the friend the blows which are reflected in a financial position and putting a goodwill of rivals serious trials. In such conditions of the program for data protection come in handy, helping to identify the disloyal workers ready to cooperate with the "enemy" organizations. It is performed by means of different technical means: for example, in a system for SecureTower data protection it can be done, having configured the corresponding rules of information security or having examined all contacts of employees which are visually provided in one of program modules.

It is much simpler provide full protection of corporate data and observance of information security policy if in the organization business processes are built and adjusted. Yes, however, also is to all much easier when job responsibilities are accurately distributed, all know well who what should be responsible for and, as a result, all tasks are carried out quicker and more qualitatively.

By means of modern information security systems it is possible to analyze efficiency of both individual employees, and the whole departments, to perform monitoring of how corporate resources are spent, to reveal the incidents connected with nonprofessional or incorrect actions of personnel of the company and also to make activities reports of workers for any period. All this helps heads to resolve quickly organizational issues, to make necessary corrections, constantly optimizing workflows in the company, – and as a result allows to reach clockwork clearness.

Threads are tied, everything is classified, data streams under reliable protection – everything in the company works as the debugged clockwork. As in that fantastic kingdom: the picture can seem utopian. Therefore to fall into the absolute fairy tale and information security systems you should not forget about reality nevertheless. Are effective, but only in that measure as far as the heartless program can be effective. This same tool for information security specialists and heads, as, say, program 1C for modern accountants. It is necessary to use programs for data protection together with other measures and taking into account all parts connected with specifics of each separate organization. Only applying complex approach to data protection in the organization, it is possible to achieve notable result. Therefore, first of all, it is necessary to remember: the devil is in parts and it is better to meet possible threats fully equipped.

2012: Date leaks via mobile devices

It is easy to replace the lost smartphone with new, it is more difficult to recover information, and to prevent to it unauthorized access, sometimes, at all hardly possibly. Draw the attention of ordinary and corporate users to this ordinary truth the research conducted within the project with the unusual name Smartphone Honey Stick pursues the aim. The Symantec company acted as his initiator, the direct contractor – Scott Wright, the trainer, the consultant, the researcher and the founder of Security Perspectives.

Organizers intentionally during several days "lost/forgot" in the neighborhood of five large cities of the USA and Canada (Washington, Los Angeles, New York, Ottawa, San Francisco) of 50 smartphones with information of personal and corporate character which is in advance written on them. Devices left in public places with big accumulation of the people – elevators, shopping centers, public catering institutions, at stops of public transport. Special software allowed to monitor movements of devices (all of them supported GPS) and to write the made actions with applications and data.

The "forgotten" smartphone

Source: Symantec, 2012

Results were quite predictable:

  • 96% of smartphones got into strange hands;
  • information and applications of personal character attracted interest in 89% of cases;
  • information and applications of corporate character – in 83% of cases;
  • information and applications of personal and corporate character – in 70% of cases;
  • every second smartphone suggested to return it to the legal owner.

The way done by one of the smartphones participating in an experiment

Source: Symantec, 2012

Considering that, how strongly recently smartphones were integrated into our everyday life and as quickly they become an integral part of the increasing number of business processes of the companies, to think, really, is over what. The list of the recommendations offered by specialists of Symantec occupies not one page of the final report with results of a research. The most important and obvious: corporate users should take seriously drawing up policies of usage of mobile devices by employees, ordinary users should not neglect function of blocking of the screen and reliable passwords.

DLP: Systems of protection against date leaks

Recommendations about prevention of leaks

6 methods of reduction of risk

Considering the effects caused by violations of databases there is obvious the highest priority of strategy of audit and protection of the most valuable data in the database of the enterprise. Nobody will file a lawsuit against the company if the malefactor gets in perimeter of network and several personal computers will turn into spam zombie. But it is possible to be sure of inevitability of legal procedure if the company loses hundreds of thousands of records of clients, especially if at the same time there is an identity theft.

In the report the edition recommends several security technologies concerning which it is necessary to consider the possibility of investments, for decrease in probability of thefts of databases. In brief:

1. Monitoring of activity of the database. Instruments of the automated audit of access to databases, use and accomplishment of requests. They are especially effective at detection of internal threats of access to confidential data.

2. Technologies of prevention of date leak. The DLP device used as the last line of defense, well configured is capable to prevent some cases able to lead to violations of data. When using in the demilitarized zone of the DLP solution can stop leakage of specific information types.

3. Management of identification of privileges. PIM products automate control over powerful administrative accounts, resolve such problems as the general administrative accounting records and passwords, excessive administrative privileges, separation of duties and change of passwords. They also provide individual statements and audit, as proof of application the politician and managements of protection.

4. Audit of the Active Directory. It is important to use more evident reporting concerning the user accounts, than it provides Windows Server. The operating powers in hands even of the hacker beginner can be destructive. In the presence of the correct audit and convenient reporting system, there will be an opportunity to recognize chaotic authentication and use of the account as soon as it happens.

5. Protective gateways. Intermediate means (and services) protection of Internet access are well used for protection of users of internal network against malware and viruses. But these technologies can be also used as the return proxy servers for check of the contents sent to the Web server available from the outside. Together with growth of the attacks of XSS and SQL Injection, these devices is the urgent need for quality of the tool for reflection of threats from external sources.

6. Multifactor authentication. It is intended first of all for prevention of access for malefactors. Two-factor authentication will not save the database from requests, will not prevent the malefactor who already has an access. However, if the database of accounts is under the threat as it was in a case with Gawker, obligatory use of two-factor authentication at the level of web access can prevent fraudulent use of credentials even if the user ID and the password became known. Many banks already began to apply on-line two-factor authentication, especially when carrying out important transactions.

5 steps on the way of creation of a system of protection against insiders

There are five steps which need to be undertaken for counteraction to similar threats[11]: #Разработать detailed process of closing of access to network to the employee. It seems a simple and obvious question, but a set of the organizations have "holes" in this process that prevents to close certain accounts or detect and "chop off" active connection when the employee leaves the organization. #Создать a system of "controls and counterbalances" for system and network administrators. Administrative access to all systems and devices should be provided more, than to one person, but it is necessary to exclude sharing of the same logins and passwords as it is difficult to control and cancel the shared account. #Работать together with heads for identification of dissatisfied employees. IT monitoring and detection of violations should be considered as "air support" for management efforts "on the earth" on identification of people who are dissatisfied with something or are already engaged in fraud. Misuse of computer resources can be very often connected with other "strange" behavior at work. #Обратить attention to audit of access to systems and network activity before dismissal of the employee. The most part of activity of insiders occurs when the employee is already on a dismissal threshold, and this activity often is defined by verification of information of logs, including traditional Syslog and also NetFlow and other similar technologies. #IT should not solve problems of insider threats alone. It is a mezhdepartamentny problem which requires interaction between IT, HR, lawyers and management of the company. Only this way it is possible to identify "potentially dangerous" employees, without violating at the same time the rights of people to privacy.

In terms of technologies the only way of prevention of such attacks, it to have an opportunity "see" what insiders do in network, i.e. to control non-standard network behavior. Such as unusually large volume of data transmission or access attempt in zones of limited access.

Councils for data protection

Many companies do not know that at them the most important information, databases and intellectual property sneaks. But even when they realize it, often there pass weeks and months between the first attack and detection. Such conclusions are drawn in a research of Verizon company - Data Breach Investigation Report, in 2010. Moreover, the companies, as a rule, learn about these violations from the third parties, but not own employees and technologies.

In the database of an online service keeping statistics and the chronicle of date leaks of all types there are more than 11 million records about thefts of data. Though the last several years many companies save on IT budgets, expenses on security in general remain invariable, and according to forecasts of many analysts considerably will increase in the next years. It does not say that professionals in the field of security have not enough resources necessary for data protection, it is rather that they are not rather concentrated on protection of databases.

The InformationWeek edition in own annual research claims that effects of such attitude towards safety of use of data can be very deplorable. The incident in Epsilon company which took place in April, 2011 is given as one of examples in the report: millions of records about clients containing a broad spectrum of personal data were lost. A massive attack to the company of e-marketing Epsilon Interactive led to plunder of the user e-mail addresses, at least, 50 clients, among them JPMorgan Chase, Capital One, Marriott Rewards, US Bank, Citi, Ritz-Carlton Rewards, Walgreens, College Board and Home Shopping Network companies.

It was the second serious case of violation of data. In December, 2010 several firms, including devianART, Honda, McDonald's and Walgreens announced similar attacks as a result of which the e-mail addresses were stolen. For example, McDonald 's informing the public, said that leak "was limited to the e-mail addresses, it is possible a name, the postal address, the home or mobile phone, date of birth, a floor and information on advertizing preferences or interest in web information". These data are enough for opening of the account of the credit card and the beginning of address phishing attacks.

The detailed technical information about that, Epsilon and Silverpop were how exactly attacked it is unavailable. But the edition gives several important advice on protection of databases on the basis of what is known to analysts:

1. Check politicians of observance and implementation of security systems by suppliers of services. The company cannot transmit responsibility to clients to outsourcing, and will answer to them in security issues of information processing of the clients by third-party providers. It is necessary to find out whether the service provider performs periodic audit of SAS70 and/or PCI. Questioning by means of the questionnaire of Alliance of Security of the Cloud Initiative (Cloud Security Alliance Consensus Assessments Initiative Questionnaire) is one more method of verification of programs of compliance at the supplier of services.

2. The third-party company, with reputation, rendering services of data processing, can be better prepared in security issues. Nevertheless, it can become more attractive purpose for attack as has a large number of records of clients. Before making the decision on outsourcing, it is necessary to estimate carefully costs/benefits/risks of management of data sources by own efforts.

3. It is necessary to require from suppliers of services of proofs and demonstration of control of the used procedures and technologies for security of data sources.


  1. zafiksirovanobreach Level Index - it is the global database which traces cases of date leaks and determines the level of their criticality on the basis of different factors, including the number of the compromised records, their type, a leak source, further use of data and also existence of their enciphering. Proceeding from assessment of the weight appropriated to each leak, the Index provides the comparative list of leaks, carrying out differences between noncritical leaks and those which caused serious damage
  2. InfoWatch: triple growth of number of information leaks is recorded
  3. zapiseyindeks criticalities of date leaks represents global base of leaks and provides assessment of level of this or that date leak by different parameters, including on data type and the number of the stolen records, a leak source, the nature of use of kidnapped persons of data and also on whether there were stolen data are ciphered. Each leak gets a certain point, thus, the index of criticality of date leaks represents the comparative table of leaks allowing to distinguish small and insignificant incidents from really large and significant leaks (the point of leak varies from 1 to 10). According to the Index of criticality of date leaks, from the beginning of drawing up the index of publicly recorded leaks in 2013, the number of the compromised data writings exceeded 7 billion. Thus, on average in the world more than 3 million data writings, or, roughly speaking, 44 records every second
  4. [ the Index of criticality of date leaks for 2016
  5. are daily compromised
  6. the sluchayevbaza of data of analytical center InfoWatch includes the public messages about information leaks from the organizations published by official departments, media, authors of entries in blogs, Internet forums and other open sources in the Russian, English and German languages
  7. [ of InfoWatch recorded the double growth of number of the stolen records of personal data
  8. in 2016]
  9. On the materials SecurityLab
  10. Bank leaks: growth by 37 times
  11. of Club.CNews