How often do websites (and their databases) get hacked? Hacked as in user accounts stolen, tables flushed, and all in all, damage done to the database.
I'm talking about e-commerce websites, and moreover, anything besides major financial institutions because I always hear about those hacks on the news.
Even if such a statistic existed, it would be meaningless because these attacks don't occur as a result of random chance.
Your chances of being "hacked" rise dramatically if:
You don't secure the application properly (SQL Injection being the most obvious, and sadly still commonplace vulnerability; others include plain-text passwords, XSS/XSRF, and not validating form/query string inputs);
You don't secure the site properly (e.g. you allow directory listings, allow anonymous FTP access, don't chroot the FTP, etc.)
You don't secure the network properly (e.g. you run services under privileged accounts, don't set up proper ACLs or firewall rules, etc.), which would make it far easier for an attacker to scan for vulnerabilities and find some means of privilege elevation.
You have a large and/or poorly-trained staff working on the system, increasing the odds of a random social engineering attack being successful.
Your site is high-traffic, high-revenue, high-sensitivity, or otherwise represents a high value to attackers, which implies a greater likelihood of a targeted social engineering or similar attack (i.e. espionage).
If you secure your environment and your applications properly, you have very little to worry about as long as you don't paint a big target sign on your back. Once you get to that size, you should be hiring a full-time IT security consultant who will ensure that the odds of you being "hacked" are very close to zero, and/or that the actual business implications of such an occurrence would be minimal.
How often do websites (and their databases) get hacked?
It is generally unknown, and potentially unknowable.
Many countries do not have computer crime laws[1]. In the United States the laws vary from state to state. 48 states have passed computer crime legislation.[2] Even in locations that have computer crime law, the victims don't often report it.
I recently asked about Resources for data on security incidents to do some research on the subject. Some database contributers submit their data on condition of anonymity.
It may be possible to find statistics on certain classes of website who are legally required to report exposure of personal information. However even among those who are legally obligated to report, some may be unaware of the law and some may choose not to report anyway.
anything besides major financial institutions because I always hear about those hacks on the news.
Well, you hear about the sensational ones anyway. I'm sure there are plenty of incidents at major financial institutions that do not receive significant media coverage. Aparently Belgium, France, and Netherlands have no legal reporting requirements. [3] So, theoritically a major breach could have happened to a major financial institution in those countries and we might never hear of it.
[1]Fundamentals of network security, Eric Maiwald
This question warrants more attention than what it has been given. The OP, perhaps unknowingly so, have identified the Achilles heel of information security, namely accurately determining the probability of a threat being realized.
Granted it would impossible to answer the question without first qualifying the party asking but this question underlies, or at least should underlie, every single security decision made. The answer to this question shouldn't be squirming and awkward silence. We should be able to answer these types questions without hesitation.
Collectively, as an "industry", we've failed miserably at providing our clients with this vital data. Worse still - we've allowed it's importance to be dwarfed by fear, uncertainty, doubt and clever marketing ploys.
Like any other mature industry we should be supported by data that has been analyzed, interpreted, refined, modeled and systematized. Luckily there are a few initiatives that attempt to collect data, but collecting is only part of the solution. The real problem lies within interpreting the data and understanding relationships between sets of data.
Unless we choose to acknowledge that this is a problem there is little hope for the security "industry" to ever reach adulthood and instead we'll be stuck in this pubertal wasteland of lies and deceit.
TLDR; Unfortunately we cannot provide you with an accurate answer due to lack of supporting data. What we can do however is wave our hand in an undefined direction suggesting that an attack is likely to occur where there is low-hanging fruit. There are many types of attackers with various motivations, capabilities and resources.
If you're the victim of a targeted attack you're unlikely to have sufficient protection, just deal with it. If however your attacker is of a more "opportunistic" type and you've failed to cut your low hanging fruit, it is ... probable that he'll find you, and successfully do whatever it is that he decides to do.
In order to get a feel on this sort of thing, you might want to subscribe to the RISKS digest, which discusses ... interesting security incidents. You'll notice, however, that the general thread among them is that they vary wildly, which leads to meaningful statistics being very hard to separate from noise. Furthermore, many people who discover security incidents opt to not disclose it, and in some jurisdictions, it may even be illegal to disclose some kinds of security incidents.
The chances are high enough to actively diminish the possibility of a security breach.
If it can happen, you need to plan for it as if it will happen. That way when it does, nobody will be staring at you wondering why you didn't defend against it.
