Data Breaches Continue to Soar

Employing sophisticated tools such as memory-scraping malware and unique packet sniffers, organized crime led a record assault on databases in 2008, resulting in more electronic records being compromised last year than the previous four years combined.

Organized crime successfully cranked up its data breaching efforts in 2008, and it paid off: More electronic records were breached last year than the previous four years combined, according to a new report from Verizon Business Security. The primary target of the thieves was the financial services industry, accounting for 93 percent of all such records compromised last year.
The second annual report from Verizon Business was based on data analyzed from the company's investigative response team, which found 285 million compromised records from 90 confirmed breaches. More than 90 percent of the thefts involved groups identified by law enforcement as engaged in organized crime.
Even more troubling was Verizon Business' finding that almost nine out of 10 breaches were avoidable if security basics had been followed. The report concluded that the attacks could have been stopped without expensive or difficult preventative controls.
"The compromise of sensitive information increased dramatically in 2008, and it's past time to be vigilant about enterprise security," Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, said in a statement. "This report should serve as another wakeup call that good security and a proactive approach are paramount to running a business in this day and age-particularly since the economic crisis is likely to trigger a further increase in criminal activity."
Bryan Sartin, director of investigative response for Verizon Business Security, told eWEEK that after the black market rate for stolen bits of personally identifiable information fell from approximately $14 to $15 a record to 15 to 20 cents a record, data thieves in 2008 turned their efforts to stealing PIN information associated with debit and credit cards. PIN fraud usually leads directly to cash being withdrawn from a person's account.
The higher value PIN information has prompted thieves to re-engineer their processes and develop new tools such as memory-scraping malware and unique packet sniffers. Thieves are approaching PIN snatching in two ways: installing malware to decrypt the PIN when consumers type the information into ATMs or software that deceives the bank's security systems into providing the PIN decryption key.
"Just seven or eight months ago, these were thought to be an academic exercise: the ability to steal small bits of data while temporarily in memory," Sartin said. "It takes less than a tenth of a second."
Despite the sharp rise in attacks in financial services, retail establishments remain the most frequent target of data breaches. Food and beverage businesses, second on the attack list in 2007, fell to third in 2008.
"Our task is not getting any easier; the sum total of information in the world grows continually and permeates everything we do and everywhere we go," Tippett said. "While the majority of the attacks remain rather mundane, the criminals are adapting to our current protection strategies and inventing news ways to attain the data they value."