Information-services provider Verizon Business released its annual data breach report on Wednesday, documenting at least 90 confirmed data breaches compromising 285 million records.
The total number of records compromised for the year exceeded the total of the past four years combined, the company said in the report (pdf). Retail and financial firms accounted for more than two-thirds of the breaches, but eight out of every ten victims were not compliant with the Payment Card Industry (PCI) Data Security Standard, the report found. A vast majority of those incidents — 87 percent — could have been avoided with simple or intermediate-complexity security measure, Verizon Business stated.
"The compromise of sensitive information increased dramatically in 2008, and it's past time to be vigilant about enterprise security," Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, said in a statement announcing the report. "This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age -- particularly since the economic crisis is likely to trigger a further increase in criminal activity."
Reports of massive compromises of credit- and debit-card data continued in 2009, with reports that Heartland Payment Systems had allowed millions of credit-card accounts to be stolen by data thieves armed with malicious code. In November 2008, low-level thieves — known as "cashers" — descended on more than 130 ATMs in Atlanta, Chicago, New York, Montreal, Moscow, Hong Kong and 43 other cities and depleted 100 accounts of about $9 million using accounts stolen from another payment processor, RBS Worldpay.
Cybercriminals have focused on compromising data beyond just credit-card numbers, cardholder names and expiration dates, because voluminous "dumps" of such data have driven the price from $10 to $16 dollars per record in 2007, down to less than $0.50 per record today, the Verizon Business report stated. Instead, data thieves are looking for bigger scores -- stealing the personal identification number (PIN) that is used to prevent unauthorized access to bank holder accounts.
"These PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks," the report stated. "This is because PIN fraud typically leads to cash being withdrawn directly from the consumers accountwhether it be a checking, savings, or brokerage account."
Moreover, cybercriminals are using better software attacks to avoid relying on data on a system's hard drive and steal it directly from memory, where it is frequently left unencrypted, the report stated.
"This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible," the report's authors said. "As a result, our 2008 caseload is reflective of these trends and includes more targeted, cutting edge, complex, and clever cybercrime attacks than seen in previous years."
While three-quarters of the cases had an external attacker involved, internal attacks caused much more damage, the report found.
Another report released in February found that, while the number of data breaches has risen, costs of responding to the breaches has fallen as companies gain more experience in dealing with security incidents.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos