Verizon released its annual Data Breach Investigation Report for 2011, in which it finds that so-called “hacktivists” stole some 58 percent of all data records stolen in 2011. This potentially marks a major shift in the data security landscape. Where companies and organizations have traditionally tried to fight off digital attacks by criminals and syndicates looking for information that can lead to cold hard cash, the goal of hacktivist organizations is to get at information for social or political purposes. And they seem to have had a good deal of success. While traditional cybercriminals certainly haven’t gone away, the amount of information they’re grabbing is starting to pale in comparison to that garnered by groups like AntiSec, LulzSec, and Anonymous.
What’s changed in the threat landscape? And what could those changes mean for everyday technology users — especially as they trust more and more of their data to big companies and cloud-based services?
Communications giant Verizon might seem like an odd source for detailed reporting on data breaches and cybersecurity, but the company has been at it for a while. Its RISK team has been issuing these annual reports since 2004, and has taken a surprisingly rigorous and detailed approach to analyzing security breaches and quantifying the data. The reports got started because — being a mammoth communications, networking, and services provider — Verizon participates in a large number of paid external forensic investigations of data breaches and other types of cyberattacks. To help analyze data it was collecting, Verizon developed its VERIS (Verizon Enterprise Risk and Incident Sharing) classification system, which attempts to quantify the who, what, which, and how of attacks. VERIS grids out to 315 types of high-level threats, ranging from hacking attacks on servers to attacks that rely on social engineering and an organization’s employees. There are some invalid cases in those 315 types — malware doesn’t effect people, so far — but the breakdowns do provide useful categorization of breaches. The data is anonymized to protect the identities of the companies or individuals involved, and — particularly this year — Verizon has worked to separate out the different ways large and small organizations are effected by data breaches and attacks.
This year Verizon also has considerable data from outside sources. For the last few years, the United States Secret Service has been using a VERIS-based system to record details of cases it has pursued, and the Dutch National High Tech Crime Unit has also been on board. This year, Verizon has added data from the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police’s e-Crime Unit. Although the data cannot be considered representative of all data breaches worldwide — and Verizon itself is very clear about that — 2011 represents the first year Verizon’s own in-house data is utterly dwarfed by what it gets from other agencies. Of the 855 breaches spanning 174 million records that were analyzed for the report, data from 765 breaches came from sources other than Verizon.
For a button-down Fortune 500 company, Verizon’s report is surprisingly flippant. Although the data is carefully presented and explained, the report also sports tongue-in-cheek humor, snarky asides, and even a Chuck Testa roll. Verizon clearly isn’t aiming this information just at suits: it wants to appeal to people in the digital trenches actually responsible for data security. Heck, Anonymous hacktivists might get a grin or two reading through it.
Overall, Verizon found that 98 percent of all data breaches in 2011 were attributable to “external agents” — in other words, employees and business partners were generally not involved. That’s the highest proportion since Verizon began collecting data in 2004, and may be due to all the new external data Verizon now incorporates. (Verizon saw a similar bump in 2009 when it first incorporated Secret Service data.) Furthermore, some 81 percent of breaches involved some sort of hacking and 69 percent incorporated malware, often meaning spyware or keyloggers used to obtain passwords or circumvent security measures. Both these percentages are consistent with an increase in the number of external attackers. Nonetheless, Verizon estimates 79 percent of all breach victims were targets of opportunity: Attackers notice a vulnerability and moved to exploit it, rather than specifically choosing to target a particular organization.
Perhaps most telling, Verizon reports that 96 percent of all data breaches were “not highly difficult” — meaning that hindsight reveals the breaches could have been avoided without deploying complicated or expensive countermeasures. Moreover, victims don’t usually notice the breaches themselves: 92 percent were only uncovered after a third party brought a problem to an organization’s attention. As a result, many breaches (like, 85 percent) go unnoticed for weeks or even months.
Overall, Verizon found that some 64 percent of attacks targeted organizations servers — and in breaches involving large organizations (with 1,000 or more employees) that number increases to 68 percent. The second most-common compromise was in “user devices” — which means desktop computers as well as things like point-of-sale terminals (which accounted for 35 percent or breaches alone) and ATMs (which accounted for 8 percent). Although desktop computers were used in 18 percent of breaches, notebooks accounted for just 1 percent, and — surprisingly — breaches involving things like smartphones and tablets didn’t even register in Verizon’s analysis.
Of the 174 million records Verizon reports to have been compromised in 2011, some 100 million — or just under 58 percent — were stolen by “hacktivist” actions by groups like LulzSec, AntiSec, and Anonymous. Nonetheless, Verizon found that just 3 percent of all external attacks could be attributed to hacktivist groups like Anonymous and its cohorts. In other words, hacktivists didn’t seem to be responsible for a huge number of attacks, but they were very effective in terms of the sheer amount of data they collected.
It’s important to note what constitutes a “record” here: It could be a single file, email address, password, or card number. However, a “record” could also be the complete source code tree for a company’s top product, a trade secret, system information, or a dossier on an individual or organization. Not all records are created equal.
According to Verizon, the vast majority (95 percent) of records compromised in 2011 constituted personal data: names, addresses, social security numbers, email addresses, and the like. Roughly 3 percent of compromised records were payment card data, and roughly 1 percent of compromised records were bank account data. These proportions actually shift a bit when considering breaches at large organizations. There, 98 percent of compromised records were personal data, and just 1 percent (or less) were payment card or banking information.
Breaches involving personal data accounted for roughly 4 percent of the breaches Verizon tracked for 2011. In other words, there weren’t very many of these breaches, but they nabbed a very large number of records. Nearly all data stolen by hacktivist groups was stolen from large organizations, and roughly a quarter of all breaches against large organizations can be attributed to hacktivist motives. In other words, hacktivists picked big targets — because those get the most attention — and stole as much data as they could, but most of that data was not credit card or banking information.
The hacktivist pattern is almost the opposite of that employed by traditional cybercriminals: rather than going after big fish, they tend to rely on opportunistic attacks against smaller, lower-risk targets. As a result, they pilfer smaller amounts of data, but that data tends to be focused much more strongly on making money. They repeat these small, opportunistic attacks on a broad scale: Traditional cybercriminals have “industrialized” their approach to data breaches.
However, law enforcement seems to have had some success combatting “physical” breaches, including fake point-of-sale terminals, and card skimmers at ATMs and gas pumps. (As Verizon puts its, authorities are getting better at flipping the “freedom bit” on those criminals.) Nonetheless, some 35 percent of data stolen from large companies was taken by organized criminal groups with the goal of using it to commit another crime, or to sell upstream to other criminals.
Despite the growing scope of Verizon’s data set, there are likely large numbers of potential data breaches Verizon never hears about. Verizon itself acknowledges the issue, particularly in regard to internal compromise, where an employee or partner participates in a data breach. Many of those incidents may simply never be discovered or, if they are, get buried for publicity and political reasons.
What does this mean for you and me?
For everyday technology users, the takeaway of Verizon’s 2011 data breach report is fairly simple: hacktivist groups stole an astonishing amount of data in 2011, but data breaches involving bank accounts and credit card details were more likely to be conducted by low-profile traditional cybercriminals. Be more worried about malware and handing your credit card to waitstaff than about Anonymous.
Looking a bit into the future, however, the success of hacktivist data breaches could be cause for concern. As consumers rely more and more on online and cloud-based services, those services maintain an increasing number of records about our everyday lives, including things like passwords, account information, addresses, photos, medical information, and the nature of relationships with friends, family, colleagues, and coworkers.
As the technology industry continues to consolidate, many of these records will be held and serviced by a shrinking number of very large organizations. These large organizations may not be the preferred target of cybercriminals who stay in the shadows, but they seem to be the first-choice targets of hacktivists. What might happen if hacktivist groups successfully set their sights on corporations like Apple, Google, Microsoft, or Amazon — each of which are awash in payment information and copious amounts of information about many of their users? Anonymous has already targeted the likes of Sony — although they denied responsibility for last year’s massive PlayStation Network breach.