Equifax is the only data breach people ever cared about... and other infosec insights from Google Trends

Don't let it bring you down, it's only castles burning.

As security consultants, it is sometimes challenging not to get disheartened when we are once again confronted with evidence suggesting a staggering lack of security awareness in organizations or among individuals. Such evidence can present itself to us in many forms, such as a news article on a data beach that could have easily been prevented; the depressing findings of a security research report; the latest version of a list of most common passwords (which looks suspiciously similar to last year’s edition, except that entries like ‘Summer2018’ and ‘Winter2018’ have been updated to reflect the current year); our own unsettling findings during a penetration test or a security audit; or even the look of growing confusion on the face of someone we’re meeting for the first time as we struggle to explain to them – and increasingly to ourselves as well – what it is we do for a living, and why we believe it is so important. Instead of letting incidents like this bring us down, or worse, leave us apathetic, we can actually benefit from them if we take them as an opportunity to step out of our infosec bubble and get some perspective. I recently had an experience like this that both baffled and dispirited me at first. However, with a little help from Google Trends and John Stuart Mill I not only managed to avert a minor professional identity crisis, but I actually gained some interesting insights. Let me explain.

What are you doing in terms of security?

Nothing. At a family gathering I recently struck up a conversation with a distant relative who happens to be the co-founder and CEO of a moderately-sized manufacturing firm with fewer than 250 employees. After we had talked a bit about his business, he asked me about my line of work. When I mentioned infosec, he seemed genuinely intrigued and asked a few more questions, which made me curious about what his company was doing in terms of IT security. Nothing, he said, shrugging his shoulders as if it was perfectly normal – self-explanatory almost. As far as he knew, they didn’t really have a cybersecurity strategy. My jaw dropped. I had so many questions, I hardly knew where to begin, but before I had a chance to fire away, we were interrupted and we didn’t manage to pick up our conversation again afterward.

While I have trouble believing that when my relative said ‘nothing’ he really meant absolutely nothing, – I mean, at the very least someone in their IT department must be doing something to protect their data and systems, right? Right?? – I have since discovered that their website still doesn’t use HTTPS and they don’t have anyone on the payroll with an infosec-related title. So it really does look pretty bad.

Do people even care?

I wish that my relative’s company was an outlier, an exception to the rule. But that’s the worst part, because it isn’t. Industry research shows that it isn’t all that uncommon for small firms to lack a proper cybersecurity strategy. For example, a 2018 report by Hiscox[pdf] found that this is true for almost half (48%) of small companies. To be fair, this doesn’t necessarily mean that those companies are doing nothing in terms of security, but there is no comprehensive, formalized effort to keep the bad guys out.

In any case, this incident got me wondering what people really know, and to what extend they actually care about cyberattacks and data breaches? If CEO’s don’t always know, nor care much about such incidents, how bad is it out there? Pretty bad, I knew form experience, but that answer didn’t satisfy me, so I got ready to do some digging on Google. It was then that I realized the significance of my decision to go to Google for my information. While I may have plenty of peculiar habits, my Google addiction is pretty normal. When I want to know more about a certain topic because I am curious or concerned, I Google it. And as far as I know, the same goes for the vast majority of people nowadays. So if you want to get a basic impression of people’s interest in topics like data breaches and cyberattacks, it would be interesting to check the Google search interest trends for those topics. Fortunately, Google has a nifty free tool that does just that. It’s called Google Trends and as it turns out, data from this tool is quite insightful regarding some of my topics interest, even if it is by no means scientifically valid.

Google Trends

Using Google Trends is incredibly easy. You simply enter a search term or a topic and it will display a graph of the relative search interest for a given geographical area within a given time frame from 2004 onward. The peak value is always 100 and the other values are relative to that. You can also compare up to five search terms/topics in a single graph.

For my experiment I chose to focus on the United States only using data from 2011 and beyond, because Google Trends improved the geographical assignment for search interest after 2010. As mentioned above, Google Trends makes a distinction between search terms and topics. While topics can provide a more complete picture of a certain phenomenon than search terms, they aren’t always available. Because terms and topics are measured in a different way, comparing the two is problematic. So I used topics whenever possible, but only if they were available for all phenomena that I wanted to compare. These are the insights I gained from my little investigation:

Insight 1: Equifax may be the only data breach most people ever cared about.

That’s right, based on the numbers, it seems the “entirely preventable” 2017 Equifax data breach that exposed the names, social security numbers and other sensitive information of over 148 million people (the initial estimate was 143 million), was by far the most interesting event of its kind. When it was announced, Google searches for ‘data breach’ surged like never before, or after for that matter.

Figure 1: US Google searches for the topic ‘data breach’ relative to the highest point on the chart, with the peak at September 2017, when Equifax happened.

The December 2013 Target breach is a distant second, followed by the 2014 Home Depot breach and the 2015 Anthem breach. The 2018 Facebook-Cambridge Analytica scandal also coincides with a small uptick, as does the 2011 Playstation hack. It is interesting that the impact of other prominent breaches including the October 2018 Facebook breach and especially the massive Marriott/Starwood breach of the same year seems negligible.

Insight 2: Equifax spurred interest in identity fraud, but not as much as a 2013 movie.

The search data for ‘identity theft’ shows a slight uptick that coincides with the Equifax breach, so it seems that this massive breach got at least some people curious or worried about identity theft.

Figure 2: US Google searches for the topics ‘data breach’ and ‘identity theft,’ relative to the highest point on the chart.

It is interesting to note that search interest for identity theft actually peaked in February of 2013. Why then? Well, the comedy film Identity Thief starring Jason Bateman and Melissa McCarthy was released that month. Initially I thought this meant that Google Trends counted searches for ‘identity thief’ as part of the data for ‘identity theft’ as a topic. However, the trend remained the same when I used search terms instead of topics for ‘data breach’ and ‘identity theft.’ So it really seems that the movie got a few people interested in identity theft, although some perhaps misremembered the title.

Insight 3: Equifax was about as interesting to people as the Harvey Weinstein scandal.

So far the graphs only show the relative impact of data breaches compared to each other. In order to get an idea of how data breaches compare to other phenomena, the below graph compares search interest in Equifax, the breach of breaches, to Google Trends data for other major incidents that took place at around the same time.

Figure 3: US Google searches for the indicated phenomena as topics, relative to the highest point on the chart.

The data implies that the impact of Equifax was similar to that of the massive sexual harassment scandal surrounding movie producer Harvey Weinstein, which broke in October of 2017. While people cared less about Equifax than they did about the violent far-right demonstrations in Charlottesville, Va. and about US President Donald Trump’s controversial decision to end the Deferred Action For Childhood Arrivals (DACA) ‘dreamers’ program, it spurred more search interest than the 2017 US Open tennis tournament, which is one of the four most important tennis tournaments.

Insight 4: The two cyberattacks that people cared about most are WannaCry and Dyn.

So what about cyberattacks? Well, based on the search interest, the 2017 global WannaCry ransomware attack wins the title of most interesting cyberattack, although it was a close race with the 2016 distributed denial-of-service (DDoS) attack on domain name system (DNS) firm Dyn, which caused major Internet disruptions across the US and Europe.

Figure 4: US Google searches for the topic ‘cyberattack’ relative to the highest point on the chart.

A third significant surge in ‘cyberattack’ search interest at the end of 2014 coincides with two separate attacks, namely the Sony Pictures hack and the DDoS attack on the PlayStation Network (PSN) and Xbox Live that “ruined Christmas for millions of gamers” according to The Guardian.

Insight 5: People care more about data breaches than about cyberattacks.

The following graph compares relative interest in data breaches and in cyberattacks. It includes data for DDoS and ransomware attacks because the two most noticeable cyberattacks were a DDoS attack and a ransomware outbreak.

Figure 5: US Google searches for the indicated topics relative to the highest point on the chart. Since ‘ransomware attack’ and ‘ransomware infection’ are not available as a topics, I simply opted for ‘ransomware.’ This choice does not seem to have significantly influenced the results, since WannaCry compares to Dyn and the other DDoS attacks just like before.

The data suggests that people cared far more about Equifax than they did about Dyn and WannaCry. The Target breach also ranks higher than any cyberattack. In addition to the incidents mentioned before, the DDoS results expose a few smaller attacks including another PSN/Xbox Live attack that occurred in August 2014 and the 2013 Spamhaus attack that broke the record of biggest DDoS attack ever, with the flood of traffic reaching 300 Gbps at its peak. For the record, this is almost 6 times smaller than the current record from March 2018, which stands at 1.7 Tbps. The fact that the biggest DDoS attack to date does not show up on the graph probably has to do with the fact that it did not cause a significant outage and didn’t receive much attention from mainstream media outlets.

Insight 6: Equifax was significant enough to be visible among top 2017 searches, WannaCry virtually flatlines.

The final graph shows how Equifax and WannaCry, respectively the biggest data breach and cyberattack according to Google Trends, compare to some of the most popular Google search terms like ‘Facebook’ and ‘Google’. Because both WannaCry and Equifax occurred in 2017, I decided to look at that year only. The data also includes ‘Hurricane Irma,’ the top trending search for 2017 according to the Google Trends Year in Search 2017 report.

Figure 6: US Google searches for the indicated search terms relative to the highest point on the chart. Search terms were chosen because Hurricane Irma is not available as a topic.

It is not difficult to identify the Equifax breach among the top search terms, which is an indication of the significance of this breach. There is even a minuscule bump for WannaCry, although this would be easy to overlook.

Final thoughts: breach fatigue and John Stuart Mill
It should be noted that due to the many potential issues with Google Trends Data, it is not possible to draw any firm conclusions from this little study, which was also never the intention. However, it may be useful to know that Google Trends data suggests that:

  • Equifax was the most significant data breach by far.
  • The most significant cyberattacks were WannaCry and Dyn, which therefore also represent the biggest ransomware and DDoS attacks, respectively.
  • People cared more about the most significant data breaches than about the biggest cyber attacks.
  • The impact of Equifax is comparable to that of various other highly publicized events.
  • Even when compared to top search terms, the impact of Equifax is clearly visible.

In addition, the relative lack of search interest in major breaches that were announced after Equifax, such as the Facebook-Cambridge Analytica scandal, the 2018 Facebook data breach and the Marriott/Starwood breach, seems to be compatible with reports of ‘breach fatigue,’ i.e. the idea that data breaches have become so common that people can no longer be bothered to get upset about companies mishandling and exposing their personal information. In other words, traditional ignorance among people about infosec topics has been infused with apathy and this makes for a toxic, security-undermining cocktail. Consequently, security pros are fighting an uphill battle now more than ever. However, this doesn’t mean the war is already lost.

If you are a cybersecurity professional, or simply someone trying to get your organization to better protect its systems as well as people’s data, remember that you’re fighting the good fight, which is important even if, or rather, especially if it seems like you’re on the side that’s losing. So the next time you get dismayed about the state of cybersecurity, or about people’s utter lack of infosec awareness or interest, you may be able to find strength in the words of John Stuart Mill:

“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”

Just replace “bad men” with “threat actors” and “good men” with “security enthusiasts,” and you should be all set. Have a nice day!