Fewer than one third of businesses identify data breaches themselves, say Trustwave

Out-Law News | 21 May 2014 | 1:59 pm | 2 min. read

Most businesses rely on others to make them aware that they have fallen victim to a data breach, according to a new study.

Information security provider Trustwave conducted investigations into 691 data breach incidents that occurred during 2013 and found that in 71% of cases the businesses affected "did not detect breaches themselves".

"To outsiders it may seem odd that organisations do not immediately know that they have suffered a breach," John Yeo, director of Trustwave, told Out-Law.com. "However, of the breaches we investigated in only 29% of cases were businesses able to figure out a data breach themselves."

Yeo said that in the remainder of cases businesses were reliant on third parties such as regulators, business partners or customers notifying them of a breach. He said that organisations that do not identify data breaches themselves take longer, on average, to contain such breaches and that this often has a knock-on effect on the costs businesses incur as a result of those breaches.

According to Trustwave's global security report for 2014, 49% of the data breach cases it investigated last year took at least three months to contain after the initial point of intrusion. The median time it took businesses to detect a breach themselves following intrusion was 31.5 days, compared to 108 days in cases of third party notifications of a breach.

"Breaches that were self identified led to shorter durations, which cut down on the time an attacker could siphon data from compromised systems and helped limit the repercussions," the report said.

Cyber criminals are primarily focused on stealing data from e-commerce websites, the report also highlighted, with 54% of Trustwave's investigations concerning data stolen from such sites.

Yeo said that hackers were generally targeting weaknesses in the security of e-commerce sites instead of 'point of sale' terminals following a tightening of security around 'chip and pin' data storage and processing. In many countries such as the UK, he said, it has become harder for criminals to steal payment card holders' account number, expiry date and security code details from point of sale transactions and that this has therefore driven the criminals to look into weaknesses in e-commerce site security instead.

By being able to potentially steal all that payment card data at once, the criminals are able to perpetuate fraud against other retailers in other "card not present" attacks, Yeo said.

Although payment card data remains the most targeted set of data by criminals, the Trustwave report highlighted an increase in the theft of other types of data too in the data breaches it investigated.

"Not surprisingly, payment card data still tops the list when it comes to data theft," the report said. "However, in 2013, we saw another noteworthy trend playing out in parallel. Our investigations showed an increase of 33% of cases involving the theft of non-payment card data, including sensitive and confidential information, such as financial credentials, internal communications, merchant ID numbers, and other personally identifiable information (PII)."

"If this data set speaks to broader trends, it appears that attackers are more aggressively setting their sights on other types of confidential data, and businesses that don’t process payment cards should prepare to take action. Particularly notable in our analysis of data theft in 2013 is a 22% increase in the theft of financial account credentials," it said.