SecurityBrief Asia logo
Story image

22 billion records exposed from breaches in 2020 — report

15 Jan 2021

22 billion records were exposed between January and October 2020 throughout 730 publicly disclosed events, according to new research from Tenable.

The figures are part of Tenable’s latest Threat Landscape Retrospective report released recently. The research also found that 35% of the breaches recorded by Tenable were caused by ransomware attacks, while 14% of breaches stemmed from email compromises.

As expected, the research focused at times on consequences of COVID-19 on the cybersecurity industry. Researchers cautioned against rushing headlong into new and untested remote working solutions, as several issues were discovered that can only be addressed through diligent patching and implementing the correct security measures.

The company also found that unpatched vulnerabilities in VPNs are ‘still gold for cyber-attackers’. Pre-existing vulnerabilities in VPN solutions continue to be a favourite target for cybercriminals and nation-state groups, Tenable says.

Meanwhile, 18,358 new common vulnerabilities and exposures (CVEs) were reported in 2020, representing a 6% increase from 2019 and a 183% increase from 2015. From 2015 to 2020, the number of reported CVEs increased at an annual percentage growth rate of 36.6%.

Over 35% of all zero-day flaws exploited were browser vulnerabilities in Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge.

“Every day, cybersecurity professionals in Australia and the rest of the world are faced with new challenges and vulnerabilities that can put their organisations at risk,” says Tenable staff research engineer Satnam Narang. 

“The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface.

“A complex threat landscape, highly motivated threat actors and readily available exploit code translate into serious cyber attacks as reflected in this report. 

“Many of the tactics used by bad actors are not sophisticated or didn’t require flexing too many mental muscles - making it more important than ever to patch vulnerabilities in a timely manner.”

Narang says last year's events and the effect they had on the cybersecurity industry called for a more in-depth retrospective analysis than ever before.

“To adapt in a digital and distributed world, every industry sector and business model is reliant on technology. Hence, pausing for a retrospective provides cybersecurity professionals with an important opportunity to identify gaps and refine strategies to make their organisations more secure,” says Narang. 

“In 2021, it’s essential that we have the tools, awareness and intelligence to effectively reduce risk and eliminate blind spots. It’s only through looking at where we’ve come from that we can effectively plan for what lies ahead.”