ENISA’s Threat Landscape Report 2022 – Part 6 – Threats Against Data
The importance of data as the driving force behind a data-driven economy has made it a primary target for cybercriminals. These criminals employ a range of threats aimed at data sources, including unauthorized access, disclosure, and manipulation. Such threats are the basis of many existing attacks, including ransomware, RDoS, and DDoS, which are designed to deny access to data and extract payment in exchange for restoring access. Disinformation and misinformation are also fuelled by data manipulation, while phishing attacks, including those based on deepfakes, rely heavily on the manipulation of data.
According to the GDPR, a data breach occurs when there is a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed. From a technical standpoint, threats against data can be classified into two main categories: data breach and data leak. While these terms are often used interchangeably, they represent fundamentally different concepts that primarily differ in how they occur.
Data breaches typically result from a cyberattack, while data leaks involve the unintentional loss or exposure of data. Data breaches have historically posed the most persistent threat to data security. However, with the rapid growth of interconnected systems and digital transformation, data leaks have become increasingly relevant due to the expanding attack surface and the greater involvement of users in the functioning of software systems.
According to Statista the entire world produced and consumed a total of 79 zettabytes and this is predicted to grow to over 180 zettabytes by 2025.
Another report by Verizon states that roughly 80% of all data compromises originate from external sources, with the remaining 20% coming from within the targeted organization. Financial gain is the primary motivation for data breaches, accounting for approximately 90% of all breaches, followed by espionage, which accounts for less than 10%. Data breaches are often executed through web applications, email, and carelessness, such as errors and misconfigurations, and are frequently facilitated by the use of stolen credentials, ransomware, and phishing attacks. The report underscores the critical role of human involvement in data breaches, with 82% of breaches involving a human element. This is due to social engineering tactics and miscellaneous errors, such as misdelivery and misconfiguration, which are among the main attack patterns, ranking third and fourth, respectively. These patterns are surpassed only by system intrusion, which also involves social attacks, and basic web application attacks. The ITRC also identifies email and weak cloud configurations as significant human errors.
The primary causes of data breaches are hacking (approximately 50%), malware (about 40%), social engineering (around 20%), and human error (13%). When it comes to assets targeted during attacks, servers are the primary targets (almost 90%), followed by individuals (less than 30%) and user devices (less than 20%). In terms of servers, web applications and mail servers are the top two targets, while database servers come in fifth. User devices, such as desktops or laptops, are the third most important asset, and finance comes in sixth for individuals. The most sought-after types of data for attackers are credentials and personal data, with credentials critical for covering up their activities and personal data useful for financial fraud and resale.
Attack vectors, assets and motivations
Throughout the reporting period, there were no significant changes in trends related to attack vectors, assets, and motivations compared to 2021.
In terms of attack vectors, the use of stolen credentials, ransomware, and phishing continue to be among the top five methods used to carry out data breaches. However, compared to 2021, stolen credentials have become the most popular method (making up approximately 40% of attacks), while ransomware has seen a significant increase (up 13% to a total of 25%), and phishing has decreased by around 20%. These trends were also observed in the USA, where ransomware and phishing remain significant threats.
As in previous years, the primary motivation for cyber attacks remains financial gain. Such attacks, driven by financial motives, now make up almost 90% of all cyberattacks. They take various forms, including stealing money from financial accounts, obtaining credit card information or other monetizable data, and demanding ransoms. Espionage, on the other hand, accounts for approximately 10% of cyberattacks.
Identity theft and synthetic identity
The proliferation of data breaches has made personal and sensitive information readily accessible to malicious actors through online forums and the dark web. This, in turn, has led to a rise in incidents of identity theft. The US Federal Trade Commission (FTC) received 1.4 million reports of identity theft in 2021, with individuals between the ages of 30 and 39 being the most targeted victims. According to McAfee, credit card fraud is the most prevalent type of identity theft. The incidents reported in 2021 may have involved synthetic identities, as per ETL 2021. Synthetic identity theft is a fraudulent scheme in which criminals combine genuine and fabricated information to create a new identity. The Federal Reserve suggests that synthetic identity theft incidents tend to be more common in the United States due to the use of static personally identifiable information for identity verification. Despite this, synthetic identity fraud still increased in 2021, and according to FiVerity, losses resulting from it have grown to $20 billion.
Data poisoning and manipulation
Data poisoning is considered a significant threat in the data domain, as identified by the EU H2020 project CONCORDIA. Reliable data is crucial to the implementation of safe autonomic and adaptive systems based on data. The central role of collected data and corresponding inferences on the behavior of modern systems elevates the risk associated with data poisoning and manipulation, which then become fundamental threats to data-driven systems. In such systems, protecting and ensuring not only data integrity but also data provenance, non-repudiation, and accountability is essential. Ransomware attacks and deepfakes are examples of threats that target the integrity and availability of data, posing significant risks to decisions based entirely on unverified data. For instance, a deepfake voice call resulted in a fraudulent bank transfer of nearly $35 million.
Data extraction from ML models
Modern distributed systems rely heavily on Machine Learning (ML) models, which are increasingly targeted by attacks. Data poisoning and manipulation lead to a reduction in the accuracy of ML models. According to the EU H2020 project CONCORDIA, machine learning models can be attacked by poisoning the data used for model training, leading to the model learning a behavior different from the actual behavior of the target system, causing incorrect decisions. Adversarial attacks, on the other hand, aim to confuse ML models with malicious data points crafted at inference time, posing a significant threat to the domains of ML and AI. Additionally, attackers can attempt to steal or extract data from a black-box model, which is known as model stealing or extraction. In this context, membership inference attacks aim to recover the training set from a deployed ML model.