More electronic records were breached in 2008 than in the previous four years combined, and most of those breaches were initiated by external sources and took place in the financial industry, according to the 2009 Verizon Business Data Breach Investigations Report (pdf).
This second annual study revealed that corporations fell victim to some of the largest cybercrimes ever during 2008. The financial sector accounted for 93% of all such records compromised last year, and 90% of these records involved groups identified by law enforcement as engaged in organized crime.
Verizon Business investigators found – as they did in the company’s first report covering 230 million compromised records from 2004 to 2007 – that nearly nine out of 10 breaches were considered avoidable if security basics had been followed. The report found that most of the breaches investigated did not require difficult or expensive preventive controls and that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.
Similar to the first study’s findings, the latest study found that highly sophisticated attacks account for only 17% of breaches. However, these relatively few cases accounted for 95% of the total records breached – proving that motivated hackers know where and what to target, Verizon said.
Additional findings from Verizon’s report:
- Most data breaches investigated were caused by external sources. Nearly three-fourths(74%) of data breaches came from outside an organization, while 20% were initiated internally and 32% came from partner organizations.
- The highest number of external data breaches originate from sources in Eastern Europe, East Asia and North America; these regions combined account for 82% of all external attacks.
- Most breaches (64%) resulted from a combination of events rather than a single action. For example, an attacker exploiting a mistake committed by the victim, hacking into the network, and installing malware on a system to collect data.
- In 69% of cases, the breach was discovered by third parties – most organizations do not discover their own breaches.
- Nearly all records compromised in 2008 were from online assets, but were not not records stored on desktops, mobile devices, portable media, etc. Rather, 99% of all breached records were compromised from servers and applications.
- Roughly 20% of 2008 cases involved more than one breach.
- Being Payment Card Industry (PCI)-compliant is critically important: 81% of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.
The report also found that data breaches investigated in 2008 affected a wide array of organizations:
- The retail industry accounts for nearly a third of all cases.
- Food and beverage establishments, the second most frequently hit industry in the first report, dropped to 14% in 2008, down from 20%.
Verizon emphasized that cybercrime continues to evolve and that new methods, such as memory scraping malware, are being used to steal personal identification codes, or PIN numbers, associated with credit/debit accounts, to withdraw cash directly consumers’ accounts.
“The compromise of sensitive information increased dramatically in 2008, and it’s past time to be vigilant about enterprise security,” said Peter Tippett, VP of research and intelligence for Verizon Business Security Solutions. “This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age – particularly since the economic crisis is likely to trigger a further increase in criminal activity.”