One of the annual studies I most anticipate has just come out, and its findings are both informative and frightening.
The 2013 Data Breach Investigations Report (DBIR) was compiled by the Verizon RISK team with cooperation from 19 other organizations including Homeland Security and the Secret Service in the U.S., and Europol on the other side of the Atlantic.
In 2012, according to the study, there were more than 47,000 reported security incidents and 621 confirmed data breaches with at least 44 million compromised records. Over the entire nine-year range of this study, that tally now exceeds 2,500 confirmed data breaches and 1.1 billion compromised records.
According to the report, in 2012, 52 percent of breaches were via hacking, some 40 percent from malware, 76 percent of network intrusions exploited weak or stolen credentials, and 35 percent involved physical attacks. Some 29 percent leveraged social tactics, and 13 percent arose from privilege misuse and abuse.
Victims in this report span restaurants, retailers, media companies, banks, utilities, engineering firms, multi-national corporations, security providers, defense contractors, government agencies, and more across the globe. A definite relationship exists between the type of company being breached, and the motive for the attack. Customer records were the target in hacks of retailers, while intellectual property was the target of most corporate hack attacks.
- 37% of breaches affected financial organizations
- 24% of breaches occurred in retail environments and restaurants
- 20% of network intrusions involved manufacturing, transportation, and utilities
- 20% of network intrusions hit information and professional services firms
- 38% of breaches impacted larger organizations
- 27 different countries are represented
Concerning financial institutions, Verizon says this large percentage of breaches was mainly due to ATM skimming incidents. Once skimming is eliminated, the financial sector drops well down the list of targets.
The report noted that "more than half of all external breaches can be traced to organized criminal groups, reflecting the high prevalence of illicit activities associated with threat actors of this ilk, such as spamming, scamming, payment fraud, account takeovers and identity theft."
"Hacking was the no. 1 way breaches occurred — factoring in 52 percent of data breaches; while 76 percent of network intrusions exploited weak or stolen credentials such as usernames and passwords. 40 percent incorporated malware tactics and 35 percent involved physical attacks, such as ATM skimming. Additionally, phishing factored in 20 percent of cases in the report."
Perhaps most troubling was the finding that "Breaches continue to go undiscovered for months, or even years. And in 69 percent of cases, third parties are the ones who detect a data breach."
Many times when data breaches are finally reported to potential victims who have had their personal information compromised, months have passed since the breach has occurred and by the time they learn that they might be in danger, the damage may have been done.
Sometimes months pass by before a hacking victim admits to the breach and notifies those who might be affected. This lack of timely reporting by agencies and companies is due to embarrassment, as well as the fear they may be held liable. This delay in notification has long worried consumer advocates. But companies have fought any requirements that mandate them to promptly report data loss.
In Europe, the European Commission is considering a plan to require companies that store data on the Internet — such as Microsoft, Apple, Google and retailers — to report the loss or theft of personal information or risk sanctions and fines. The plan faces stiff opposition.
In the United States, Web businesses are not required to give notification of data breaches, and what rules there are, are by state laws. As in Europe, attempts to create a national breach reporting mandate have been defeated in the face of business opposition.
Twice now Sen. Dianne Feinstein (D-CA) has introduced legislation — the Data Breach Notification Act — "to require Federal agencies, and companies and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information." Her bill has never gotten out of committee.
So what's the bottom line for you, the consumer? Understand that there are threats out there. Be careful and cautious with your information and take breach notices seriously.