Want CNET to notify you of price drops and the latest stories?

Verizon: More breaches but less data lost. Huh?!

Hacking, malware, and physical attacks such as ATM and gas pump skimming are the most popular methods for stealing data, report says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
Verizon's report found that hacking, malware, and physical attacks were the most common in data breaches.
Verizon's report found that hacking, malware, and physical attacks were the most common in data breaches. Verizon

Verizon's Data Breach Investigations Report for last year is a bit of a head scratcher. It shows that while the number of data breaches from cyber attacks rose, the amount of compromised records lost has fallen.

While there were 760 data breaches recorded by Verizon and the U.S. Secret Service in 2010 (up from about 140 in 2009), there were only 4 million compromised records involved (way down from 144 million in 2009), according to the Verizon 2011 Data Breach Investigations Report scheduled to be released on Tuesday. The figures represent both a record high number of incidents and a record low records lost amount for any of the seven years Verizon has been keeping track.

The seeming contradiction between the low number of records lost and the high number of breaches could relate to the fact that there were fewer massive data breaches as there have been in the past as criminals focus on opportunistic attacks on smaller companies (with 11 to 100 employees) that may not have the best security measures in place, Alex Hutton, principal for research and intelligence at Verizon, told CNET in an interview.

The increase in those types of smaller, highly-automated external attacks could explain why outsiders were responsible for most of the breaches (92 percent), up 22 percent from the previous year.

"There has been a shift in the threat landscape, and organized crime is targeting medium to small-sized businesses in the U.S.," Hutton said. "What we're seeing is the bad guys exploiting people who haven't taken basic security considerations into account in their small business. An attacker is running an automated attack, basically looking for people who have let their guards down. They are introducing malware into the environment, and if it's credit cards they are after they'll just scoop up a handful at a time."

But why just a handful?

"A couple of reasons," he said. "First, they probably want to evade detection. Stealing lots of credit cards attracts unwanted attention. Also the resale value of credit cards is low on the black market, so criminals could just be trying to make a quick buck before the data becomes worthless."

Next year's report will likely get a hit from the recent data breach at e-mail marketing services firm Epsilon that prompted several dozen companies, including Citibank, Chase, Capital One, Walgreens, Target, Best Buy and even Verizon, to notify customers that their names and e-mail addresses were exposed. Epsilon has not explained how the breach happened.

Hutton said he could not comment on a particular case, but said that incidents are included in the report for the year in which they are concluded, regardless of when they began.

The most common types of attacks were hacking (50 percent) and malware (49 percent), and many of those involved use of weak or stolen credentials and passwords. Malware was responsible for nearly 80 percent of the lost data, with attackers using malicious software to send data to outside servers, open up back doors on compromised computers, and install keyloggers.

Most of the breaches could have been avoided with basic, affordable security measures, the report said. Nearly two-thirds of the malware investigated in the Verizon caseload, not including the statistics from the U.S. Secret Service, was customized.

Tampering with ATMs, gas terminals
For the first time ever, physical attacks--such as compromising ATMs and gas pump payment terminals--appeared as one of the three most popular data theft methods, representing nearly 30 percent of all cases investigated and typically conducted by organized crime. ATM skimmers are getting more sophisticated, with some including Bluetooth technology and allowing criminals to retrieve the stolen data wirelessly, without having to go back to the machine and risk getting caught, according to the report.

"The latest evolution in data retrieval is the use of technology, again embedded in the skimmer, that utilizes GSM (Global System for Mobile Communications) standards and will text captured data in real-time to the criminal's cell phone," the report said.

Less common because they are harder to accomplish are device tampering of point-of-sale terminals at checkout counters inside stores. Criminals are replacing the terminals with devices of their own that capture and store payment card data as it is passed from the swipe reader to the terminal. To get the devices in the stores, criminals are dressing in uniforms and pretending to be technicians doing scheduled maintenance, according to the report.

The report did not go into detail about what type of data was compromised. A report from The Identity Theft Resource Center (ITRC) in January listed 662 breaches last year with 62 percent exposing Social Security numbers and 26 percent representing credit or debit card numbers. "The nation needs a centralized, publicly available, data breach reporting site," the ITRC said. "It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened."

The data used in the Verizon report, which is believed to be the most comprehensive breach database, comes from investigations and reports around the world. This is the first year the report includes statistics from a non-U.S. source, Verizon said. Information from the National High Tech Crimes Unit of the Netherlands Policy Agency added insight into the analysis of cases from Europe. However, the Dutch figures were not mixed in with the incident and records loss figures compiled by Verizon and the U.S. Secret Service but separated out as an appendix.