In-Depth

Breachers Down but Not Out

Breaches could still be avoided, report notes.

• By Stephen Swoyer
• 08/17/2010

The good news is that the number of data breaches is declining. The bad news is that most data breaches could still be avoided.

Those are just two conclusions from the 2010 Verizon Data Breach Investigations Report that the telco giant says it produced with help from a prominent partner -- the United States Secret Service. (The Secret Service is tasked with investigating financial crimes.)

"The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime," said Peter Tippett, vice president of technology and enterprise innovation with Verizon. He spins his company’s collaboration with the Secret Service as a harbinger of what’s to come.

"As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools, and services that will continue to make a difference,” Tippett said.

Although the number of data breaches in absolute terms was down, the Verizon report found that crackers are making greater use of both insider access and social engineering. The report also identified the ongoing “strong” involvement of organized crime, which Verizon says is responsible for the overwhelming majority (as much as 85 percent) of all data breach exploits.

Almost seven in ten data breaches were attributed to external sources; just 11 percent were caused by business partners. On the other hand, external crackers are increasingly likely to make use of internal help: almost half (49 percent) of data breaches were actually facilitated by insider access, according to the report. That’s a marked increase from previous studies.

Nearly half (48 percent) of breaches likewise involved privilege misuse, chiefly on the part of rogue insiders. Additionally, four in ten breaches made use of hacking efforts (either by themselves or in combination with other tactics), while more than a quarter (28 percent) involved the use of social tactics. Just one in seven (14 percent) were achieved by physical attacks.

Most data breaches could have been avoided, according to Verizon. Researchers estimate that just 15 percent of data breaches involved “highly difficult” exploits; what’s more, the overwhelming majority (87 percent) of victims likewise failed to detect evidence of breaches in their log files.

The biggest targets, now as ever, are financial services, hospitality, and retail (what Verizon calls the “Big Three”). These sectors accounted for 71 percent of data breaches. Financial services, in particular, is becoming a magnet for cracking activity: according to Verizon, an “astounding 94 percent of all compromised records in 2009 were attributable to financial services.”

There’s an obvious reason for this, according to the report. "Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size," researchers observed.