Hackers With Conscience
Verizon data-breach study shows "hacktivism" on rise
Published in CSP Daily News
NEW YORK -- Maybe it's not about the money after all. An increasing number of data breaches are coming from individuals who are motivated not by money, but by making political and social statements, according to a study out today.
The "Verizon 2012 Data Breach Investigations Report" revealed a dramatic rise of "hacktivism," accounting for 58% of data stolen in 2011. According to the annual report released today from Verizon, the new trend contrasts sharply with the data-breach patterns of past several years, during which the majority of attacks were carried out by cyber-criminals, whose primary motivation was financial gain.
"With the participation of our law enforcement partners around the globe, the '2012 Data Breach Investigations Report' offers what we believe is the most comprehensive look ever into the state of cyber-security," said Wade Baker, Verizon's director of risk intelligence. "Our goal is to increase the awareness of global cybercrime in an effort to improve the security industry's ability to fight it while helping government agencies and private sector organizations develop their own tailored security plans."
The oil industry may need to take heed of this trend, according to Chris Novak, managing principle of investigative response for Verizon. He told CSP Daily News that activists focus on environmental issues and issues that attract the public's attention. "When you hear from the media that gas prices may hit $5 … the more you're going to see [breaches]," Novak said. "Hactivists will look for anything that grabs [public] interest."
A total of 79% of attacks represented in the report were "opportunistic," the report said. Of all attacks, 96% were "not highly difficult." Additionally, 97% were avoidable or without the need for organizations to resort to difficult or expensive countermeasures.
External attacks remain largely responsible for data breaches, with 98% of them attributable to outsiders. This group includes organized crime, activist groups, former employees, lone hackers and even organizations sponsored by foreign governments. With a rise in external attacks, the proportion of insider incidents declined again this year to 4%. Business partners were responsible for less than 1% of data breaches.
In terms of attack methods, hacking and malware have continued to increase. In fact, hacking was a factor in 81% of data breaches and in 99% of data lost. "Malware," or malicious software made specifically to disrupt computers, also played a large part in data breaches. It appeared in 69% of breaches and 95% of compromised records. Hacking and malware are favored by external attackers, as these methods allow them to attack multiple victims at the same time from remote locations. Many hacking and malware tools are designed to be easy and simple for criminals to use.
Additionally, the compromise-to-discovery timeline continues to be measured in months and even years, as opposed to hours and days. Finally, third parties continue to detect the majority of breaches (92%).
Verizon officials summarized the report's key findings:
- Industrial espionage revealed criminal interest in stealing trade secrets and gaining access to intellectual property. This trend, while less frequent, has serious implications for the security of corporate data, especially if it accelerates.
- External attacks increased. Since hacktivism is a factor in more than half of the breaches, attacks are predominantly led by outsiders. Only 4% of attacks implicate internal employees.
- Hacking and malware dominate. The use of hacking and malware increased in conjunction with the rise in external attacks in 2011. Hacking appeared in 81% of breaches (compared with 50% in 2010), and malware appeared in 69% (compared with 49% in 2010). Hacking and malware offer outsiders an easy way to exploit security flaws and gain access to confidential data.
- Personally identifiable information (PII) has become a jackpot for criminals. PII, which can include a person's name, contact information and social security number, is increasingly becoming a choice target. In 2011, 95% of records loss included personal information, compared with only 1% in 2010.
- *Compliance does not equal security. While compliance programs, such as the Payment Card Industry (PCI) Data Security Standard, provide sound steps to increasing security, but being PCI compliant does not make an organization immune from attacks.
Now in its fifth year of publication, the report spans 855 data breaches across 174 million stolen records--the second-highest data loss that the Verizon RISK team has seen since it began collecting data in 2004. Verizon was joined by five partners that contributed data to this year's report: the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.
[Editor's Note: The report also made recommendations on how large and small companies can avoid becoming victims of cyber-hacking. Look for those tips in tomorrow's CSP Daily News.]