NEW YORK (3/27/12)--Despite warnings that cybercriminals are using more sophisticated methods to hack data from financial institutions and other companies, 97% of the cyberattacks that occurred in 2011 used relatively simple methods to commit their data breaches, according to a study released Thursday by Verizon.
Of the 855 data breaches compromising 174 million records during 2011, more than 79% were attacks of opportunity. "Target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack," said Verizon's 2012 Data Breach Investigations Report.
2011 experienced the second-highest data loss since Verizon began keeping track in 2004. The annual report was compiled with help from law enforcement agencies in five countries--including the U.S. Secret Service.
Outsiders still dominated the data breaches, with 98% of breaches stemming from external agents such as organized criminal groups bent on making money. But the single most important change was the rise of "hacktivism" against larger organizations worldwide, said the report. 2011 was a year of activism on many fronts, including data breaches.
"Activist groups created their fair share of misery and mayhem last year as well--and they stole more data than any other group," said the report's executive summary. Fifty-eight percent of all data theft was tied to activist groups.
Only 4% of breaches were tied to internal employees.
How did the breaches occur? Roughly 81% used some form of basic hacking; 69% incorporated malicious software or malware; 10% involved physical attacks; 7% employed social tactics; and 5% resulted from privilege misuse.
The report noted that it was fairly easy to hack into most victims' programs; the sophisticated element of the hacks came later in the actual theft of the data, once the hackers were in. Then they often installed malware to acquire privileges, set up backdoors, enable remote control and seek sensitive data, while staying hidden on the network and covering their tracks.
Other commonalities that were found to exist:
- 94% of all data compromised involved servers;
- 85% of breaches took weeks or more to discover;
- 92% of the incidents were discovered by a third party;
- 97% of breaches were avoidable with simple or intermediate controls; and
- 96% of victims subject to Payment Card Industry Data Security Standards had not achieved compliance with the standards.
More than half the data breaches hacked the accommodations or food services industry, followed by 20% in retail trade. Finance and insurance accounted for 10% of the attacks, a significant decrease from the 22% that industry recorded in 2010.
However, when looking at the groups represented by the percent of breaches for larger organizations with 1,000 or more employees, the report gave a different picture--one of interest to credit unions. Finance and insurance account for the most records breached--28%--at larger institutions. The study also noted that large organizations have different data breach experiences than smaller ones, with more complex issues.
An analysis of the types of data stolen indicated that payment card numbers/data and authentication credentials such as user names and passwords, account for the highest percentages stolen, 48% and 42%, respectively for all organizations, and 33% and 35% for larger organizations.
All other types of data are less than 4% each, including bank account numbers/data at 2% for all organizations and 10% for large organizations.
The report emphasized taking care of shoring up the basic security measures to prevent hackers from access in the first place. If they can't get in, they can't do the damage, the report indicated.