Verizon gets industry-specific in breach report

Risks factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, according to a report released Thursday by Verizon Communications.

The new report (PDF) builds on data released in June. The initial report spanned four years and included more than 500 forensic investigations involving 230 million compromised records.

In the initial report, Verizon found that 73 percent of the data breaches were the result of outside sources, with only 18 percent from insider threats. Of the outside sources, 39 percent were attributed to business partners. But that's an average.

The new report drills down within four key industries: financial services, tech, retail, and food and beverage. The four constitute 82 percent of all the attacks in the original Verizon report.

"The nature of the threat being faced by each of these industries is somewhat unique," said Bryan Sartin, co-author of the report and director of investigative response for Verizon Business security solutions. Verizon Business is the company's unit dedicated to enterprise and government customers.

The other 18 percent of attacks noted in the June data target manufacturing, hospitality, government, entertainment, education, and "other."

The attacks on the financial industry tend to be sophisticated, Sartin said. A majority come from outside hackers, although a healthy amount could also be attributed to insiders who have been granted access to the data.

"If it's someone using or abusing a legitimate level of access granted to them for the purposes of a security breach, they don't need fancy hacking tools to get access to these systems. They just need anti-forensics tools to cover their tracks on the way out," he said.

Tech industry attacks are similar to those seen in financial services.

Sartin suggests that retail and food and beverage, which includes restaurants and grocery stores, are the polar opposite. In both retail and food, less sophisticated attacks are used and are often the result of a compromised third-party vendor.

In retail and food, the establishment may own the user name and password to the computer system, but someone else actually provides the point of sale (POS) service for them. In environments that rely upon external support, Sartin said, "we also see more and more where these third parties are specifically misusing that level of access granted to them."

Verizon Business investigators will often see a dozen restaurant chains citing the same problem and the same complaints from their customers, Sartin said. "You'll see that they have the same fraud patterns and the same fraud spend (illegitimate purchases), all within the same time frame. So it's compelling circumstantial evidence that it's the same perpetrator doing the same things we've seen elsewhere. And we can get good insight into how they did it. It always suggests that it was a vendor."

Sartin also outlined a scenario in which organized crime members go to "individuals inside the call centers and support centers and say, 'Hey, if you need money' or 'If you hate your job, we're your solution. Just give us access to the data. Better yet, just give us the data. Give us the keys to your customers, and we'll make it worth your while.'"

The goal of the two reports, Sartin said, is to give detailed insight into how data breaches occur, so that companies can address the problems within their specific industry.