Report: Most data breaches tied to organized crime

Verizon's annual data breach report combines data from the U.S. Secret Service and covers more than 143 million compromised records.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
Misuse of access privileges, hacking, and malware were the most commonly used methods for stealing data, the report found.
Misuse of access privileges, hacking, and malware were the most commonly used methods for stealing data, the report found. Verizon

Organized criminals were responsible for 85 percent of all stolen data last year and of the unauthorized access incidents, 38 percent of the data breaches took advantage of stolen login credentials, according to the 2010 Verizon Data Breach Investigations report to be released on Wednesday.

While external agents were behind 70 percent of the breaches, nearly 50 percent were caused by insiders and only 11 percent were attributed to business partners, concluded the report, which focused on data breaches that took place in 2009.

The study combined data from investigations and statistics worldwide compiled by Verizon and the U.S. Secret Service in which 141 cases were analyzed involving more than 143 million compromised data records, compared with the more than 360 million records compromised in 2008.

Most of the externally originated breaches came from Eastern Europe, North America, and East Asia, the data shows.

Nearly 50 percent of breaches involved misuse of user privileges, while 40 percent resulted from hacking, 38 percent used malware, 28 percent used social engineering tactics, and about 15 percent were physical attacks.

There was not one single confirmed intrusion that exploited a patchable vulnerability, reflecting that fact that many of the most common hacking methods--SQL injection, stolen credentials, and backdoors--exploit problems that can't be readily patched.

"Attackers really do seem to be not so much concerned with finding software vulnerabilities as much as finding types of misconfigurations that let them in the door," Wade Baker, director of risk intelligence for Verizon Business, told CNET on Tuesday.

Ninety-six percent of the breaches in the study were avoidable through simple or intermediate controls and nearly 80 percent of the victims who are subject to PCI DSS (Payment Card Industry Data Security Standard) guidelines had not achieved compliance.

Factoring in the Secret Service data, Verizon's data breach investigations span six years, more than 900 breaches and more than 900 million compromised records.

Meanwhile, a Ponemon Institute report released earlier this week found that the median annualized cost of cybercrime for 45 organizations that participated in the study was $3.8 million per year and data theft accounts for the greatest amount of total external costs.