BASKING RIDGE, N.J. (4/16/09)--Financial institutions and other corporations fell victim during 2008 to some of the largest cybercrimes ever, with 285 million compromised records stemming from 90 confirmed data breaches, according to a new study released Wednesday by Verizon Business. More electronic records were breached in 2008 than the previous four years combined. The financial services sector accounted for 93% of all compromised records and 30% of the breaches analyzed, said the "2009 Verizon Business Data Breach Investigations Report." More than 90% of the compromised records saw a strong involvement of organized crime. Most (74%) data breaches were caused by external sources, while 32% were linked to business partners, the study said. Contrary to widely held beliefs that most fraud is from inside, the study found that only 20% of the breaches last year were attributed to insiders. Most breaches resulted from a combination of events rather than a single action, said the study's executive summary. Of the breaches, 64% were by hackers who used a combination of methods. In most successful breaches, the attacker exploited a mistake committed by the victim, hacked into the network and installed malware to collect data from the victim's system. In 68% of the cases, the breach was discovered by third parties. During the past five years, few victims discovered their own breaches, said Verizon. Nearly all records compromised in 2008 were from online assets. Despite concern about desktops, mobile devices and portable media, 99% of all breached records were attributed to compromised servers and applications. In last year's cases, about 20% involved more than one breach. Multiple distinct entities or locations were individually compromised as the result of a single case. Half consisted of interrelated incidents often caused by the same individuals. A staggering 81% of the victims were not compliant with the Payment Card Industry Data Security Standard (PCI-DSS), the study found. What's more, 83% of the attacks were not highly difficult, and 87% were considered avoidable through simple or intermediate controls. In 2008, Verizon said attacks targeting personal identification numbers (PINs) exploded. The big money for cybercriminals is in stealing PIN information with associated credit and debit card accounts. "This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age--particularly since the economic crisis is likely to trigger a further increase in criminal activity," said Dr. Peter Tippett, vice president of research and intelligence at Verizon Business Security Solutions. "The financial services firms were singled out and fell victim to some very determined, very sophisticated and, unfortunately, very successful attacks in 2008," he noted. "This report shows it's not about clever or complex security protection measures. It really boils down to ensuring the basics are met from planning to implementation to monitoring the data," Tippett added. Verizon offered several recommendations for businesses:
* Change default credentials often; * Avoid shared credentials; * Review user accounts; * Employ application testing and code review; * Patch comprehensively; * Assure human resources uses effective termination procedures; * Enable application logs and monitor; * Define what's "suspicious" and "anomalous."