The Year Of The Mega Breach

Executive Overview

With Internet-shattering distributed-denial-of-service (DDoS) attacks, troves of records leaked through data breaches, and a renewed focus by organized cyber-crime on business targets, 2016 was a defining year for security. Indeed, in 2016 more than 4 billion records were leaked, more than the combined total from the two previous years, redefining the meaning of the term “mega breach.” In one case, a single source leaked more than 1.5 billion records.  

SecThrtRprt IBM Call (224) 303-4312

In our monitored client environments, IBM® X-Force® saw that the average client organization experienced more than 54 million security events in 2016—only three percent more events than 2015. At the same time, client organizations monitored by X-Force experienced an average 12 percent decrease in attacks in 2016 compared to 2015 (1,019 attacks in 2016 compared to 1,157 attacks in 2015). Most notably, the average monitored client was found to have experienced 93 security incidents in 2016, down 48 percent from the 178 discovered in 2015. Does this reduction in attacks and incidents reflect a safer security environment in 2016? Perhaps. That would be wonderful news to report. However, the reduction in attacks could mean attackers are relying more and more on proven attacks, thus requiring fewer attempts. Additionally, the combination of massive record leaks and a record year of vulnerability disclosures also paints a different picture. Regardless of the total number of attempted attacks or incidents, it takes only one successful compromise for an organization to end up as front page news and facing millions of dollars in data breach costs.


To better understand the security threat landscape, X-Force uses both data from monitored security clients and data derived from non-customer assets such as spam sensors and honeynets. X-Force runs spam traps around the world and monitors more than eight million spam and phishing attacks daily. It has analyzed more than 37 billion web pages and images.

IBM Security Services monitors billions of events per year from more than 8,000 client devices in more than 100 countries. This report includes data IBM collected between 1 January 2016 and 31 December 2016. In this year’s report, IBM X-Force Threat Research adopted the MITRE Corporation’s Common Attack Pattern Enumeration and Classification (CAPEC) standard for attack categorization.

The top five attacked industries were determined based on data from a representative set of sensors from each industry. The sensors chosen for the index had to have event data collected throughout the entire year of 2016.

The insider/outsider identification utilized in this report includes all source and destination IP addresses identified in the attacks and security incidents targeting the representative set of sensors. A single attack may involve one or many attackers.

The Shifting World of Breaches


The year 2016 was notable for the way in which cyber attacks had a discernible impact on real-world events and infrastructure. Beginning in December 2015, for example, reports appeared of a malware-caused power outage in Ukraine,3 leaving hundreds of thousands of people without electricity for several hours in the middle of winter. Nearly a year later, a smaller but similar Ukrainian power outage surfaced, also attributed to a cyber attack.4 These two events bookended the year and served as heralds of the widespread impact of security incidents on the physical world, even to those who don’t regularly monitor the security landscape.

World-changing leaks

This impact was most prominently registered through a number of high-profile data leaks that had a direct influence on global politics. In April 2016, 11.5 million leaked documents from the Panamanian law firm Mossack Fonseca5 exposed offshore accounting of thousands of prominent people from around the world. The “Panama Papers,” as they were dubbed, showed insider financials of several current and former heads of state, their friends and family, as well as businesspeople and celebrities. While offshore accounts are not illegal per se, they often raise suspicion because they can be used for tax evasion and money laundering.
In addition to criminal investigations in


Phishing: The act of tricking a user into providing personal or financial information by falsely claiming to be a legitimate entity.

79 countries, the disclosure led to anti-government protests in several countries including Pakistan and the UK.8 In April 2016, the Prime Minister of Iceland stepped down in the aftermath of the leak.

In the US, data leaks were a central topic of the presidential election. Several leaks from the Democratic National Committee (DNC) provided an inside look into private email conversations and strategies, and could have potentially swayed the opinion of some voters for one candidate over another. In both the Panama Papers and DNC leaks, it is reported that attackers used simple techniques such as SQL injection (SQLi) and phishing to exploit these influential targets. The fact that vulnerability to fundamental security flaws could have such far-reaching impact is notable.

In past years, data breaches were often in the form of a fixed set of structured information such as credit card data, passwords, national ID numbers, personal health information (PHI) data or key documents. In recent years, X-Force has observed the release of much larger caches of unstructured data, such as the contents of emails, as well. In 2016, there were many notable examples of leaks involving hundreds of gigabytes of email archives, documents, intellectual property and source code, exposing companies’ complete digital footprints to the public.

Glbl Lks unstrctrdDta Call (224) 303-4312

A history of incidents

X-Force has been tracking and reporting on publicly disclosed security incidents and data breaches since 2011. Figure 3 (next page) illustrates a sampling of security incidents and attack techniques during 2014, 2015 and 2016. In 2016, X-Force observed several record-breaking metrics such as the number of previously leaked records that surfaced during the year and an increase in the size and scope of DDoS attacks.

While the number of leaked records is not the only indicator of the impact of a breach, it is still a useful metric to track year to year. In 2015, X-Force tracked just over 600 million leaked records, down from more than one billion leaked in 2014. At over 4 billion, the number of records leaked in 2016 was more than double that of both previous years combined.

The year 2016 was unusual, however, as several “historical hacks” from breaches occurring in earlier years surfaced publicly, with revelations that billions of previously unreleased records were being sold on the Dark Web. These leaked records are associated with the year in which the organization disclosed the breach and not the year the breach occurred.



In some cases, it’s not known or disclosed when the actual breach occurred. In one significant example of a historical hack, Yahoo alerted customers in December 2016 that the company had discovered two breaches resulting in leaks of 500 million records in 2014, and one billion records in 2013. And Yahoo’s disclosure was not the only one of its kind. Reports of significant, older breaches occurred throughout 2016, with data from a number of historical hacks posted for sale on the Dark Web, most often by the same seller.


Incdnts by attcktype sample Call (224) 303-4312

Several of these breaches, such as those occurring at LinkedIn, Dropbox, and Last.fm, were already disclosed in prior years, though the impact was under-reported at the time. For example, in 2012, LinkedIn disclosed a breach impacting 6.5 million users, but in 2016, after a verifiable dump was posted for sale on the Dark Web, it was revealed that 117 million emails and passwords were actually stolen in that breach.

One of the dangers of these older leaks is that passwords often were stored less securely than they are today, or in some cases, millions of passwords were not encrypted at all. Many Internet giants previously used easy-to-crack hashing algorithms such as MD5. The result is that there are billions of email and plain text password combinations available for those interested in purchasing them—and many of these parties have successfully used these credentials to hijack accounts on other sites and services.

High-volume hijacks

During 2016, there were several high-profile account takeover campaigns in which the targeted service was not breached, but rather a large number of the targeted service’s customers lost control of their accounts because they had reused the same email and password from another Internet account. For example, attackers captured more than 20 million accounts at the Chinese auction site Taobao in a brute force attack that leveraged more than 100 million combinations of harvested credentials from other breaches. They used these hacked accounts primarily for sending spam, as well as bolstering the reputation of select accounts, and manipulating supply and demand of auction items.

Companies allowing virtual assets to be converted to currency, including frequent buyer programs, loyalty cards and travel points programs, were also targeted by account takeover.

Another novel use of comprised credentials was a campaign to log in to Internet-facing PCs running remote administration software. In June 2016, remote access service TeamViewer reported an uptick in compromised accounts that was believed to be linked to a flood of leaked credentials. People who reused their LinkedIn password for their TeamViewer PC login, for example, would be susceptible to this type of account takeover.

One positive development during 2016 is that many companies now are using more secure hashing functions such as bycrypt to store passwords. The result is that even after a breach, such as the theft of 43 million Weebly accounts and 87 million Daily Motion accounts in October, it may be more difficult to crack the passwords, devaluing the data and the scope of the attack. Still, given the frequently reported top 10 password lists that have been circulating for several years, it might be useful for web services to reject some of the most common passwords and require users to set something more secure.

Brute force attack: Use of trial and error to obtain a user name and password for a valid account on a web application to access sensitive data such as credit card numbers.

When things go rogue

Whether motivated by political protest, crippling a competitor or just for laughs, large-scale DDoS attacks have been a mainstay for many years. Not long ago, 100Gbps attacks were unprecedented—but by 2016, they were more of the norm. An attack on a French-based hosting provider, for example, reportedly topped a gargantuan 1 Tbps. Tools for DDoS attacks have become more accessible as well. In October, the opensource Mirai botnet was used to cause a large Internet-wide disruption of major sites such as Etsy and Twitter by targeting their DNS provider, Dyn.

Mirai is the latest evolution of DDoS attack malware, weaponizing home routers and other connected devices, including Internet-accessible camera systems and digital video recording devices. Large botnets of Internet “things” can be amassed due to the sheer number of these systems and their ease of exploitation, due to basic security holes.

Another Internet of Things (IoT) DDoS botnet, dubbed Leet by security firm Incapsula, launched a 650Gbps attack in December. One interesting feature of this attack was that it used two different SYN payloads for maximum impact. Sending a high packet rate of regular sized SYN packets (40 to 60 bytes) and interspersing very large packets (799 to 936 bytes) makes the attack difficult to mitigate because it ties up end systems handling the requests with high volume number of packets and floods switches with demands for huge bandwidth.


Distributing malware through spam

Spam email remains a primary tool in the attacker’s toolkit, reinforcing the pervasiveness of malware and the potential or inadvertent insider attacks. Figure 4 shows the overall spam volume observed by X-Force in its network of sensors in 2015 and 2016. The average monthly spam volume of the first quarter of 2015 is shown as 100 percent, and the red in the bars indicates the amount of spam with malicious attachments.

By the end of 2016, in fact, X-Force had noted a fourfold increase in the volume of spam over the previous year, as well as a marked increase in malicious attachments to that spam. 

SpamVolRprt Call (224) 303-4312


Among malicious attachments to spam, ransomware accounted for the vast majority—85 percent. Ransomware continues to be
one of the most profitable forms of malware in terms of effort versus earnings. While these attacks were already established and profitable, the February 2016 case of a California hospital that paid a ransom of 40 Bitcoins (approximately USD17,000 at the time) to unlock encrypted files foreshadowed a renewed campaign of similar attacks against the healthcare industry in several countries. Given that disruptions of hospital operations can be both financially damaging and literally matters of life and death—exacerbated by outdated security processes and infrastructure—the healthcare sector became a lucrative worldwide target throughout the year. 

To learn more about how to prepare for and respond to ransomware, read the IBM Security Ransomware Client Engagement Guide.

Scroll Up