Study: 91% of Data Breaches are Organized Crime

Dennis Faas's picture

According to a recent study, there were more electronic records being exposed in 2008 than in the previous four years combined.

The study suggests that most breaches could have been avoided had the proper precautions been put in place. An astounding 99% of breaches were done through servers and applications, rather than desktop computers, notebooks, mobile phones or portable media combined.

Verizon Business Data Breach Investigations

A 2009 Verizon Business Data Breach Investigations Report (PDF) analyzed 90 confirmed breaches from 2008 that affected 285 million records. A previous report from Verizon covering 2004 through 2007 saw 230 million records compromised.

Only about a third of the breaches investigated by Verizon have been publicly disclosed, and additional disclosures are expected by the end of this year. However, many of the breaches will be undisclosed due to the absence of any applicable disclosure requirement laws. It's not known whether or not the massive 2008 Heartland Data Systems breach is included in the breaches Verizon investigated.  (Source:

91% of Breaches Linked to Organized Crime

Verizon's report found that 91% of all the compromised records were linked to organized crime. Default credentials and SQL injection attacks were among the most common and customized malware attacks that doubled.

Peter Tippett, VP of research and intelligence for Verizon Business Security Solutions, referred to the report as a "wake-up call," saying businesses need strong security and a proactive approach, particularly because the economic crisis may lead to even greater criminal activity.

Because the black market has been flooded with 'dumps' (credit card magnetic stripe sequences sufficient for counterfeiting), the value associated with selling stolen credit card data has dropped from between $10 and $16 per record in mid-2007 to less than $0.50 per record today.

93% of Breaches From Financial Institutions

Cyber-criminals are now focusing on stealing PINs (personal identification numbers) associated with bank accounts, allowing cash to be stolen from its victims' bank accounts, which perhaps explains why 93% of the 285 million compromised records in 2008 came from financial institutions.

69% of breaches investigated by Verizon were discovered by third parties, suggesting that organizations being breached need better control of the data they're responsible for overseeing.

81% of organizations affected by the breaches had been identified as noncompliant by the Payment Card Industry Data Security Standard (PCI DSS) they were subject to. However, the other 19% that were compliant were also breached.

More Money Spent Cleaning Up Breaches

Verizon recommends avoiding shared credentials, changing default credentials, reviewing user accounts, testing applications and reviewing code, smarter patch management strategies, employee termination procedures, application logging and monitoring, and finding agreement on what represents suspicious or anomalous network behavior. The report (PDF) is available from Verizon. (Source:

Eastern Europe, East Asia and North America account for 82% of these breaches. As noted by the Tech Herald, the companies responsible for protecting the breached data spent more money cleaning up the breaches than they would have to prevent the breaches in the first place.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet