Financially motivated cybercrime accounted for 75% of data breaches in 2012, with state-affiliated espionage campaigns aimed at stealing intellectual property ranking second at 20%, according to the Verizon 2013 Data Breach Investigations Report released on Tuesday.
In 2012, breaches affecting financial organizations accounted for 37% of the total, followed by retailers and restaurants (24%); manufacturing, transportation and utilities (20%), and information and professional services firms (20%). Of all cyberattacks, 38% impacted larger organizations and represented 27 countries, according to the report issued by Verizon Enterprise Solutions, a unit of New York City-based phone company Verizon Communications Inc. that provides data-security services. Verizon began issuing annual data-breach reports in 2008.
Financial information, including payment card data, “continues to be a sizeable target” for organized crime groups, says Chris Novak, senior analyst with Verizon’s RISK team. “Every now and then, you still have your individual actors but a lot of it is organized crime, and a lot of that tends to be sourced out of Eastern Bloc countries that we’ve seen historically involved in this kind of activity.”
The report covers 621 confirmed data breaches, more than 47,000 reported security incidents and at least 44 million compromised records occurring in 2012. Verizon and 18 organizations worldwide contributed data and analysis to the report.
As in previous years, external attacks remained largely responsible for data breaches in 2012, with 92% attributable to outsiders such as organized crime, activist groups, and former employees. Breaches can have more than one type of perpetrator Some 14% of breaches were committed by insiders, while business partners were responsible for about 1%, and 7% of breaches involved multiple partners. The report attributes 19% of breaches to state-affiliated actors.
Hacking remains the top attack method, accounting for 52% of data breaches. Seventy-six percent of network intrusions exploited weak or stolen credentials (user names and passwords); 40% incorporated malware; 35% involved physical attacks such as ATM skimming; and 29% used social tactics, such as phishing in which the sender tries to lure someone into opening a legitimate-appearing e-mail that could plant malware or otherwise compromise a computer. The proportion of breaches incorporating social tactics was four times higher in 2012, due in large part to use of the tactic in targeted espionage campaigns, according to the report.
Social tactics such as spear-phishing can be a “targeted, pin-hole into an organization through a weakness in their security,” giving the fraudster access to data throughout the organization, Novak says. For example, rather than mass-mailing phishing messages to all employees in an organization, criminals are gathering information on key employees off the Web and sending targeted messages designed to get the recipients to answer the e-mail, Novak says.
“Many of the organizations try to solve the security problem through technology alone,” he says. “But at the end of the day, the human factor is a very large factor in the equation.”
The time gap between the actual data compromise and discovery by the targeted institutions continued to be measured in months and years rather than hours and days. In 2012, 62% of breaches went undiscovered for months or more, compared to 55% in 2011 and 67% in 2008.
“Organizations generally have so much data, they can’t reasonably look at it,” Novak says. “It gets offloaded somewhere—put on a server, put in a box, sent to a storage facility—but it just doesn’t get looked at or an organization doesn’t have a strategy to correlate it.”
That means organizations often don’t know where to look or what to look for to scan for data breaches, Novak says. “The only way they’re noticing is the situation has to bubble up to a point where it’s almost obvious or a third party comes to them.”
Third parties continue to detect the majority of breaches (69%), indicating a lack of internal detection capability, according to the report. That compares to a high of 92% in 2011 and 75% in 2008.