Data Breaches Spike in 2013 with Growing Cornucopia of Targets

Payment card data is still the top plum in growing cornucopia of targets
Payment card data is still the top plum in growing cornucopia of targets

Even though point-of-sale hacks like the one at Target have many consumers on alert, it turns out that a full 45% of data thefts in 2013 involved non-payment card data, according to Trustwave’s Global Security Report. Non-payment card data includes financial credentials, internal communications, personally identifiable information and various types of customer records.

The bad guys are also making increasing numbers of heists: The volume of data breach investigations increased 54% in 2013, compared to 2012.

Payment card data continues to top the list of what’s most often compromised at 55%, with e-commerce making up 54% of assets targeted and PoS breaches accounting for 33%. As a result, retail once again was the top industry compromised, making up 35% of the attacks that Trustwave investigated in 2013. Food and beverage ranked second at 18%, and hospitality ranked third at 11%.

However, the data revealed some shifts in the landscape, like a 33% increase in the theft of sensitive and confidential information in 2013, and data centers made up 10% of assets targeted. Both of these suggest an uptick in cyber-espionage activities. There was also a 22% increase in the theft of financial account credentials--a wake-up alarm for online banking services.

Motivations fall into four distinct camps: Money, espionage, hacktivism and sheer narcissism. “Of all motivations for cybercrime, financial gain is still the most common incentive,” Trustwave said in the report. “Criminals use numerous methods to monetize attacks. Sometimes, it is as simple as forcing a bank wire transfer or stealing credit card information, and in other cases, non-payment-related data has value. For instance, email credentials have a specific value and are frequently bought and sold in underground markets.”

As far as attack techniques go, poor password hygiene continues to be a big problem. Weak passwords opened the door for the initial intrusion in 31% of compromises Trustwave investigated in 2013.

Password is Password 

In December 2013, security researchers at Trustwave discovered a Pony botnet instance that compromised about two million accounts for popular websites. Password analysis based on the credentials found revealed that the perennial favorite “123456” topped the list of the most commonly used password, followed by the variation-on-a-theme choice of “123456789,” “1234” and then, simply “password”. Unsurprisingly, in most of the world, 123456 was also the most compromised password, except in the UK, where “password” came in first, and in Germany, where “qwer1234” was the most compromised. Nearly 25% of the usernames studied had passwords stored for multiple sites.

Vulnerabilities persist as a prime vector too: a staggering 96% of applications scanned by Trustwave in 2013 harbored one or more serious security vulnerability. Criminals relied most on Java applets as a malware delivery method – 78% of exploits detected took advantage of Java vulnerabilities. In all, 85% of the exploits detected in 2013 were of third-party plug-ins, including Java and Adobe Flash and Acrobat Reader.

Meanwhile the Blackhole exploit kit maintained its first-place ranking with 49% prevalence in 2013. However, the October arrest of its creator, nicknamed Paunch, brought on a decline in its usage, compared to 2012’s 60% prevalence, due to a lack of updates and an increase in detection rates.

“We suspect that without anyone taking ownership of the kit, it will eventually disappear,” Trustwave said.

Spam made up 70% of inbound mail (a five% drop from last year), but the classic combination of social engineering/spam and malicious payloads continues to get results.

Silver Lining 

So what’s the good news? Encouragingly, from 2012 to 2013, there was a decrease in the amount of time an organization took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.

The median number of days from initial intrusion to detection was 87 days, and the median number of days from detection to containment was seven days. Upon discovery of a breach, 67% of victims were able to contain it within 10 days, a relatively encouraging statistic.

Self-detection proves critical in improving the timeline to containment. The report found that median number of days it took organizations that self-detected a breach to contain the breach was one day, whereas it took organizations 14 days to contain the breach when it was detected by a third party. However, 71% of compromise victims do not detect breaches themselves.

“Breach activity does not transpire in a vacuum,” Trustwave said. “Interaction with the compromised system must take place, and this process frequently leaves behind footprints of the activity occurring. These clues are commonly referred to as indicators of compromise (IOCs). Monitoring systems for indicators of compromise and responding appropriately is critical to reducing the timeframe and potential impact of a breach. In cases of self-detection, an organization can take action much sooner.”

When ranking the top 10 victim locations, the United States overwhelmingly house the most victims at 59%, which is more than four times as common as the next closest victim location, the United Kingdom, at 14%. Australia is ranked third, at 11%. Canada is ranked sixth at 1%, tied with New Zealand, Ireland, Belgium and Mauritius.

What’s Hot on Infosecurity Magazine?