Turns out the minority of attackers last year -- namely Anonymous -- wreaked the most damage when it came to data breaches worldwide, accounting for more than half of all compromised records, according to the newly published 2012 Verizon Data Breach Intelligence Report (DBIR).
It's no surprise that hacktivism played a major role in this year's report: The Anonymous hacking collective last year targeted multiple high-profile targets, including Sony, Fox, PBS, HBGary Federal, and multiple law enforcement agencies. But the Verizon report for the first time quantifies the data exposure as a result of the hacktivist-driven attacks. This year's report encompasses 855 data breaches and 174 million stolen data records, including breach data from Verizon, the U.S. Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police.
Hacktivists represented only 2 to 3 percent of the attackers in the breaches covered in the study, but they were still responsible for the breach of 58 percent of the data records, says Chris Porter, a principal with the Verizon RISK team. Overall, more than 100 million records were stolen by hacktivists, according to the report, but organized crime was the most prolific attacker, accounting for 83 percent of the breaches while stealing 35 percent of the data records overall in the study.
Perhaps most telling is how this new data illustrates the shift in hacktivism over the past year from website defacements and pure distributed denial-of-service (DDoS) attacks for making a statement or disrupting websites, to inflicting damage and embarrassment on the organization and its members and affiliates by "doxing" their emails, passwords, or other sensitive information. "This was a new trend last year in hacktivism. We've had these attacks all the time, but they typically don't steal data," Porter says. "This is the new trend of [hacktivists] breaking into an organization and stealing data and trying to embarrass them. Then others can use this for fraud."
In cases where Anonymous ran rainbow tables against password files and posted them on Pastebin or shared them among others online, that left these credentials vulnerable to organized crime groups to use for their own nefarious purposes, Porter says.
"Hacktivists were low in frequency compared with other data breaches we see ... especially organized crime," Porter says. "Organized crime was a much higher frequency [of attacker], but we found it fascinating that hacktivists stole more data than organized crime."
And that was a major shift from previous Verizon DBIR reports, which concluded that cybercriminals looking for financial gain were the main players in breaches.
"A very few were taking a lot -- that disproportion" was interesting, says Amy DeCarlo, a principal analyst with Current Analysis. "Certainly, with what's been happening geopolitically, it's not all that surprising. But it is surprising when you think about how significant that change has been in just a year."
Just how the high-profile arrests last summer and then over the past few weeks of alleged key members of the LulzSec splinter group of Anonymous that led much of the data breaching activity from the hacktivist group last year will shape this year's data breach data is unclear. "I think most of the hacktivist cases we saw or our partners saw were at the beginning of the year through the summer," Verizon's Porter says. "There were fewer later in the year, so we may see a downward trend [in the next report]. We'll have to see."
Breaches included in the report came from 36 different countries, with 70 percent originating from Eastern Europe, and less than 25 percent coming out of North America.
Nearly all (98 percent) of all attacks came from outsiders, which include organized crime, activist groups, former employees, solo hackers, and foreign government-sponsored hackers. Insider-borne attacks dropped to 4 percent last year, and business partners accounted for less than 1 percent of breaches.
Despite the data damage invoked by Anonymous and other hacktivists, organized crime groups are still king when it comes to breaches. The report found that organized crime groups have automated their attack processes and tend to target smaller organizations. "They are searching the Net and looking for remote services ... this entire process has been automated end to end almost," Verizon's Porter says. "They find remote services and try passwords. They [go after] known, guessable credentials, and if they are successful, they log in and use an automated installation of malware like a keylogger to collect information and automatically send it outside to the organization, or email, or website or FTP it to a drop server somewhere."
Next Page: What About Cyberspies?
Sadly, 96 percent of all of the attacks were simple and didn't require advanced skills or heavy resources to pull off: Seventy-nine percent of attacks were "opportunistic," according to Verizon, and 97 percent were preventable. "If you take a look at the recommendations section, we pulled out a special cutout for small businesses, and their problems are fairly simple to fix," Porter says. These tips include checking administrative passwords on all point-of-sale systems and eliminating weak passwords.
[ Verizon's annual breach investigations reports have consistently shown that fewer attacks exploit vulnerabilities that could have been patched. See The Curious Case Of Unpatchable Vulnerabilities. ]
Cyberespionage-driven targeted attacks represented only a sliver of the cases in the Verizon DBIR, although it was at its highest in the history of the DBIR, according to Verizon's Porter. Only around 4 percent of breaches included theft of intellectual property. "It's hard to know if intellectual property has been stolen. Our numbers are probably on the low end," he says. "And it's probably happening a lot more often, but organizations don't know about it ... [But] I still think organized crime by far is the highest. It's so simple and easy to do these days."
Richard Bejtlich, CSO at Mandiant, says the low percentage of targeted attacks in the DBIR is likely because the bulk of the cases came from the Secret Service and other law enforcement agencies around the world, who don't typically investigate targeted cases, but more so financially motivated attacks. "At least in our country, [the police] are not working the advanced targeted cases. Those are worked by the FBI," Bejtlich says.
He points to the majority of the victim organizations in the report, which are hospitality and retail comanies, which account for 74 percent of the breaches, he estimates. And 72 percent of the victim organizations have 100 or fewer employees, he says. "These are essentially small companies in hospitality and retail that are helpless," Bejtlich says. "This is a nice complement to our M Trends Report [on advanced targeted attacks] -- we don't work any of [these cases]," he says.
The Verizon report also found that 95 percent of stolen data records included personally identifiable information, such as name, contact information, and Social Security number, compared with only 1 percent of the breaches in 2010. That's another indication of just how lucrative that information has become, according to Verizon.
In terms of methods of breach, hacking was No. 1, as the factor in 81 percent of data breaches, versus 50 percent in 2010, and in 99 percent of the data exposed. Malware was used in 69 percent of breaches, compared with 49 percent in 2010, and was employed the exposure of 95 percent of the data records.
Breach discovery is still a major problem, and likely a factor in the amount of damage. More than 90 percent of the time, victim organizations learned from third parties -- mainly law enforcement -- that they had suffered a breach, and breaches are often ongoing for months or years before the victim finds out. Nearly 40 percent of large organizations don't discover a breach for months, according to the report.
"It's disappointing that it takes so long for an organization to discover that they've had a breach," says Current Analysis' DeCarlo. "That shows a lack of progress. It's better the earlier [you discover it] to prevent another one and to also recover and manage the data in some way ... The horse is already out of the barn" if you don't discover a breach until long afterward, she says.
And 96 percent of the victim organizations in the study were not PCI-compliant. Mandiant's Bejtlich says PCI compliance in many of these cases would have gone a long way to avoid their breaches. "This is a lesson for a lot of these organizations," he says.
Verizon released a snapshot of the report data last month at the RSA Conference in San Francisco -- specifically of data on its own breach investigations. In 90 of its 855 breach cases last year, more than 90 percent came from outsiders rather than a malicious insider or business partner, and more than 85 percent were the result of a hack. Verizon at the time did not release any hacktivist data, but hinted that it was a big factor.
The full 2012 Verizon DBIR is available here for download (PDF).
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio