Data loss through cyber-attacks decreased markedly in 2010, but the
total number of breaches was higher than ever, according to Verizon’s
“2011 Data Breach Investigations Report.” The number of compromised
records involved in data breaches investigated by Verizon and the U.S.
Secret Service dropped from 144 million in 2009 to only 4 million in
2010, representing the lowest volume of data loss since the report’s
launch in 2008. However, this year’s report covers approximately 760
data breaches, the largest caseload to date.
According to the report, the seeming contradiction between the low data
loss and the high number of breaches likely stems from a significant
decline in large-scale breaches, caused by a change in tactics by
cyber-criminals. The report found they are now engaging in small,
opportunistic attacks rather than large-scale, difficult attacks and
are using relatively unsophisticated methods to successfully penetrate
organizations. For example, only three percent of breaches were
considered unavoidable without extremely difficult or expensive
corrective action.
The report also found that outsiders are responsible for 92 percent of
breaches, a significant increase from the 2010 findings. Although the
percentage of insider attacks decreased significantly over the previous
year (16 percent versus 49 percent), this is largely due to the large
increase in smaller external attacks. “As a result, the total number of
insider attacks actually remained relatively constant,” the report
noted.
Hacking (50 percent) and malware (49 percent) were the most prominent
types of attack, with many of those attacks involving weak or stolen
credentials and passwords. For the first time, physical attacks–such
as compromising ATMs–appeared as one of the three most common ways to
steal information, and constituted 29 percent of all cases investigated.
“Through our Data Breach Investigations Report series, Verizon
continues to provide the industry with a first-hand look at cyber-crime
around the globe,” said Peter Tippett, Verizon’s vice president of
security and industry solutions. “This year, we witnessed highly
automated and prolific external attacks, low and slow attacks,
intricate internal fraud rings, countrywide device-tampering schemes,
cunning social engineering plots and more. And yet, at the end of day,
we found once again that the vast majority of breaches can be avoided
without extremely difficult, expensive security measures.”
The Data Breach Investigation Report (DBIR) series now spans seven
years and more than 1,700 breaches involving more than 900 million
compromised records. For the second year in a row, the U.S. Secret
Service collaborated with Verizon in preparing the report. In addition,
the National High Tech Crime Unit of the Netherlands Policy Agency
(KLPD) joined the team this year; approximately one-third of Verizon’s
cases originated in either Europe or the Asia-Pacific region.
“Americans over the past several years have seen the significant
impacts data breaches are having on our nation’s financial
infrastructure,” said U.S. Secret Service assistant director A.T.
Smith. “Today cyber criminals are operating in nearly every civilized
nation in the world, exposing Americans’ personal information, either
stored or transmitted, to substantial risk.”