Data Breaches Make 2008 a "Chaotic Period" for Businesses, Says Report

By Matthew Harwood

As business firms and consumers braved a "tumultuous year" of market plunges and business failures, a team of forensic data security researchers identified another threat to economic harmony: large data breaches.

In just 90 confirmed data breaches in its caseload last year, 285 million records were compromised, reports Verizon Business RISK Team in its 2009 Data Breach Investigations Report.

"These events served as a reminder that, in addition to our markets, the safety and security of our information could not be assured either," the report said.

The total number of records compromised in 2008 exceeds the total number between 2004-2007, which were analyzed in last year's report.

"In the most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data," according to the report. "98 percent of all records breached included at least one of these attributes."

Similar to last year's report, 74 percent of the confirmed breaches originated from external sources, up 1 percent. Organized criminal groups were responsible for 91 percent of all records compromised.

Insiders, like end-users and IT administrators, were responsible for one in five breaches. Several breaches were conducted by recently fired employees, which according to the report "obviously speaks to the need for termination plans that are timely and encompass all areas of access." These actions include decommissioning accounts, disabling privileges, and escorting fired employees off premises.

There was, however, some slightly good news: business partners in 2008 were less implicated in such breaches than previously.  Last year's analysis reported that  39 percent of the breaches implicated a business partner. It fell seven points in 2008 to 32 percent.

The most successful breaches were also much more sophisticated, the report notes, as data thieves try to increase profit margins hurt by a swollen market for payment card information.

Stolen credit card data used to command between $10 and $16 per record during mid-2007. It's virtually worthless now, selling at $0.50 per record.

The big money maker for cybercriminals now is stealing both the payment card data and the personal identification number. This makes stealing easier on criminals and harder for consumers to challenge their card activity.

"PIN fraud typically leads to cash being withdrawn directly from the consumer's account—whether it be a checking, savings, or brokerage account," the report notes. "Furthermore, PIN fraud typically places a larger share of the burden upon the consumer to prove that transactions are fraudulent."

Sophisticated attacks, while only accounting for 17 percent of the total, compromised 95 percent of records analyzed.

Four out of five businesses breached that were subject to the Payment Card Industry Data Security Standard were not compliant.

The industries most likely to be breached were the retail and financial services, although the damage in the financial sector was most severe. Of the 285 million records compromised in Verizon's caseload last year, 93 percent were in the financial services industry.

Admitting that it's difficult to determine the source of an attack, the Verizon Business RISK Team says locations in East Europe, East Asia, and North America were most responsible for attacks in 2008, much like last year.

So what should businesses do to protect their data?

The report recommends five basic mitigation efforts: ensure essential controls are met; find, track, and assess data; collect and monitor event logs; audit user accounts and credentials; and test and review web applications.

In a perfect world, businesses wouldn't have to store any information and there wouldn't be any risk. But that's not realistic, the report admits.

"The next best thing is to retain only what is required for business or legal reasons, to know where it lives and flows, and to protect it diligently."


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.