BASKING RIDGE, N.J. – More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the 2009 Verizon Business Data Breach Investigations Report released Wednesday.
This second annual study – based on data analyzed from Verizon Business’ actual caseload comprising 285 million compromised records from 90 confirmed breaches – revealed that corporations fell victim to some of the largest cybercrimes ever during 2008. The financial sector accounted for 93 percent of all such records compromised last year, and a staggering 90 percent of these records involved groups identified by law enforcement as engaged in organized crime.
“Cybercrime is a business,” said Wade Baker, Research and Intelligence Principal at Verizon Business. “These crimes are financially motivated. All of this stolen information goes into the criminal black market, which has become very mature. Just like any market, it obeys the laws of supply and demand. The price for stolen data has fallen. Stolen credit card numbers used to cost $13 to $15. That dropped this year to less than 50 cents a piece.
“So cyber criminals have had to find a new job,” Baker said. “Or you can innovate your methods and figure out how to be more efficient or go for new types of information that holds a higher value, or larger quantities of it. If you think about our caseload, majority of them still criminals looking for low hanging fruit. But now there is a growing percentage of highly targeted attacks aimed at stores of large volumes of sensitive data. These targeted attacks doubled in 2008. Not ony are they going after your credit card numbers, they’re also going after your security pin (personal identification numbers.”
Verizon Business investigative experts found, as they did in the company’s first report covering 230 million compromised records from 2004 to 2007, that nearly nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.
Similar to the first study’s findings, the latest study found that highly sophisticated attacks account for only 17 percent of breaches. However, these relatively few cases accounted for 95 percent of the total records breached – proving that motivated hackers know where and what to target.
This year’s key findings both support last year’s conclusions and provide new insights. These include:
Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.
Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.
Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.
The State of Cybercrime: 2009
As the cybercrime market continues to evolve, so do the targets, techniques and types of attackers. The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. In 2008, Verizon Business witnessed an explosion of attacks targeting PIN data.
These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer’s credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer’s account – whether it is a checking, savings or brokerage account — placing a greater burden on the consumer to prove that transactions are fraudulent.
The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware, to steal this valuable commodity.
The geographic distribution of external data breach sources continue to show high activity in Eastern Europe (22 percent), East Asia (18 percent) and North America (15 percent). In fact, the 2009 report shows that these regions accounted for 82 percent of all external attacks.
Among investigators, Baker said: Eastern Europe is known as a notorious haven for organized cybercrime outfits which played a major role in breaches throughout 2008.
The report shows that malicious activity from Eastern Europe is the work of organized crime. he said. On the bright sight, efforts with law enforcement led to arrests in at least 15 cases (and counting) in 2008.
Financial Services Sees Biggest Increase of Any Industry
As was the case from 2004 to 2007, data breaches investigated in 2008 affected a wide array of organizations. While the retail industry continues to be the most frequently targeted, accounting for a third of all cases, the biggest rise was in financial services, which more than doubled its share to 30 percent. But more importantly, the financial sector accounted for more than nine out of 10 of the more than 285 million records compromised.
The increase in data breaches in the financial sector reflects the recent trends in cybercriminal activity, especially the focus on acquiring PINs to sell them on the black market. Said Tippett, “The financial services firms were singled out and fell victim to some very determined, very sophisticated and, unfortunately, very successful attacks in 2008.”
Food and beverage establishments, the second most frequently hit industry in the first report, dropped to third place in 2008 with its share falling from 20 percent to 14 percent.
The number of investigations handled by the Verizon Business investigative response team outside the United States rose to more than one-third of its caseload in 2008. In addition to breaches requiring extensive investigations across the United States, many breaches hit organizations in Canada and Europe while casework continued to increase in Brazil, Indonesia, the Philippines, Japan and Australia. Assuming attackers continue to pursue soft targets internationally, concern in emerging economies can be expected to rise as well, especially with respect to consumer data.
Recommendations for Enterprises
The 2009 study again shows that simple actions, when done diligently an




