CISOs often focus on protecting structured data such as credit cards, passwords and personal health information. But a new report from IBM reminds infosec pros that unstructured data — ranging from the contents of email, source code and intellectual property — is just as high on the target list of attackers.

In fact, the report notes, the 5GB of data stolen from an Ontario casino ranks among the top global leaks of unstructured data last year. The breach at Casino Rama Resort allegedly included the facility’s IT information, financial reports regarding the hotel and casino, security incident reports, patron credit inquiries, collection and debt information and more.

That observation and others come from IBM’s 2017 Threat Intelligence Index (registration required), which looks back at 2016 makes some interesting conclusions.

Most readers, of course, will remember the hack of email from the U.S. Democratic Party as a prime example of a theft of unstructured data, incidents that are still in the headlines south of the border.

But the report also notes the April 2016 leak of 11.5 million documents from a Panamanian law firm which exposed offshore accounting of thousands of prominent people from around the world. Reporters from around the world have dipped into “Panama Papers,” as they were dubbed, which showed insider financials of several current and former heads of state, their friends and family, as well as businesspeople and celebrities.

To no-0ne’s surprise, 2016 was another record year for breaches, with over 4 billion gone out the door. That’s more than double the number of the two previous years combined, says IBM. However, it includes 1.5 billion records from breaches at Yahoo that were done in years previous years but only divulged in 2016. Four men, including one with dual Canadian citizenship, were charged earlier this month with one of those attacks.

Last year saw another dubious record:  The highest number of publicly disclosed software vulnerabilities (10,197), which doesn’t speak well for the industry’s skill at secure development — and those were only the publicly disclosed ones. Web application vulnerability disclosures made up 22 per cent of the total, a large majority of which were cross-site scripting and SQLi vulnerabilities.

“One positive development during 2016 is that many companies now are using more secure hashing functions such as bycrypt to store passwords,” the report says. “The result is that even after a breach, such as the theft of 43 million Weebly19 accounts and 87 million Daily Motion20 accounts in October, it may be more difficult to crack the passwords, devaluing the data and the scope of the attack.

“Still, given the frequently reported top 10 password lists that have been circulating for several years, it might be useful for web services to reject some of the most common passwords and require users to set something more secure.”

Spam has always been a pain for infosec pros, but in the last years the amount of it with malicious payloads has significantly increased, the report notes — and 85 per cent of it was ransomware. On the other hand the report notes that some criminals, including those behind the Dridex banking Trojan, are using less spam and more spear phishing to trap victims.  A number of cyber gangs are increasingly targeting businesses rather than consumers, the report says.

Finally, the report makes — another — plea to organizations to practice security fundamentals. “To complement a solid information security foundation,” it adds, “organizations can continue to engage in collaboration to learn best practices and share findings and insights with colleagues. The faster they react to cybercrime findings and share their experiences across the security community, the less time each malware variant can live and or see successful fraud attacks.”

The report uses both anonymized data from IBM monitored security clients and data derived from non-customer assets such as spam sensors and honeynets.