Out-Law / Your Daily Need-To-Know

174 million records compromised in 855 data breach incidents last year, says report

Out-Law News | 24 Oct 2012 | 3:49 pm | 3 min. read

Almost every small business that was victim to a data security breach last year that was required to comply with payment card processing standards failed to do so, according to a new report by a US telecoms firm.

Verizon's Data Breach Investigations Report (92-page / 3.47MB PDF) (DBIR) covering the year 2011 found that 174 million records were compromised in a total of 855 data breaches in what it called an "an all time low" for protection against data breaches.

The report outlined that 96% of firms that were required to comply with the Payment Card Industry Data Security Standard (PCI DSS) and that fell victim to data breaches recorded in Verizon's own "caseload" from last year, were not compliant with the standards.

"We are seeing a continuing trend whereby more of the organisations that fall in the 96% tend to be on the small side," Verizon said in the report. "In many cases these organisations have either failed to perform their (self) assessments or failed to meet one or more of the requirements. The most notable distinction here is that of the merchant failing to perform its assessment or achieving compliance versus a failure of the PCI DSS itself."

"Because these are confirmed data breach victims, obvious questions arise with respect to the compliance status of these organisations," it said.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The standard was established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard.

In August last year the UK's data protection watchdog, the Information Commissioner's Office (ICO), warned  UK businesses that they risk being fined for a serious breach of the Data Protection Act if they fall short of PCI DSS requirements.

Verizon's DBIR 2012 outlined that, in 2011, more 174 million individual records of information were "compromised" as a result of data breaches.

Including data provided to the company by a number of law enforcement bodies based around the world, including the US Secret Service, the UK's Metropolitan Police and other bodies from Ireland, the Netherlands and Australia, there were 855 separate data breaches recorded last year.

Verizon said that since publishing its DBIR in 2004, there have been "well over 2000 breaches, and greater than one billion compromised records."

The report said that "external agents" were responsible for 98% of data breach incidents. These agents consisted of a mixture of "organised criminals" and "activists", whilst the "theft of corporate and personal information" was a "core tactic" of those responsible, it said. In 4% of cases, internal employees were "implicated" in the breaches.

The behaviour of those responsible for breaches was unpredictable as they did not always target organisations with the most money or valuable information, Verizon added in its report.

"Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets," the report said. "Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property."

In 81% of cases those responsible for breaches "utilised some form of hacking". This represented an increase from 2010 where 50% of cases involved hacking. Verizon's report also detailed a rise in the use of malicious software to help hackers expose data.

"Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records," the report said. "This makes sense, as these threat actions remain the favoured tools of external agents, who ... were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access)."

The report also detailed a fall in the proportion of "physical attacks", at ATMs for example, whilst 5% of data breaches occurred as a result of individuals misusing privileges.

Verizon said that 79% of data breach victims were the "targets of opportunity".

"Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack," the report said. "Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult."

"Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained. Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures," it said.