Social Media Release: Verizon Business 2009 Data Breach Study Finds Significant Rise in Targeted Attacks, Organized Crime Involvement

Financial Industry Accounts for 93 Percent of 285 Million Compromised Records; Most Breaches Avoidable if Proper Precautions Taken

April 15, 2009

OVERVIEW

• According to the just-released “2009 Verizon Business Data Breach Investigations Report” (DBIR), corporations fell victim to some of the largest cybercrimes ever during 2008.
• This second annual study – based on data analyzed from Verizon Business’ actual caseload comprising 285 million comprised records from 90 confirmed breaches – revealed that more electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime.
• The financial services sector accounted for 93 percent of all compromised records and a staggering 90 percent of these records involved groups engaged in organized crime.

KEY FINDINGS OF THE 2009 REPORT

This year’s key findings support last year’s conclusions and provide new insights. These include:

• Most data breaches investigated were caused by external sources.
  • 74 percent of breaches resulted from external sources.
  • 32 percent were linked to business partners.
  • 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
  
  
• Most breaches resulted from a combination of events rather than a single action.
  • 64 percent of breaches were attributed to hackers who used a combination of methods.
  • In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.
• In 69 percent of cases, the breach was discovered by third parties.
  • The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same.
  • During the last five years, relatively few victims discovered their own breaches.
• Nearly all records compromised in 2008 were from online assets.
  • Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were attributable to compromised servers and applications.
• Roughly 20 percent of 2008 cases involved more than one breach.
  • Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.
• Being PCI-compliant is critically important.
  • A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.

QUOTES FOR ATTRIBUTION

Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions:

• “The compromise of sensitive information increased dramatically in 2008 and it’s past time to be vigilant about enterprise security. This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age -- particularly since the economic crisis is likely to trigger a further increase in criminal activity.”
• “Eastern Europe is known as a notorious haven for organized cybercrime outfits which played a major role in breaches throughout 2008. We have a great deal of evidence that malicious activity from Eastern Europe is the work of organized crime. On the bright sight, efforts with law enforcement led to arrests in at least 15 cases (and counting) in 2008.”
• “The financial services firms were singled out and fell victim to some very determined, very sophisticated and, unfortunately, very successful attacks in 2008.”
• “Our task is not getting any easier; the sum total of information in the world grows continually and permeates everything we do and everywhere we go. While the majority of attacks remain rather mundane, the criminals are adapting to our current protection strategies and inventing new ways to attain the data they value.”
• “This report clearly shows it’s not about clever or complex security protection measures. It really boils down to ensuring the basics are met from planning to implementation to monitoring of the data.”

THE STATE OF CYBERCRIME: 2009

Big Money Now: The big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts. In 2008, Verizon Business witnessed an explosion of attacks targeting PIN data.

Hitting Consumers Hard: PIN-based attacks hit the consumer much harder than typical signature-based counterfeit attacks in which a consumer’s credit card is compromised. Investigators found that PIN fraud typically leads to cash being withdrawn directly from the consumer’s account – whether it is a checking, savings or brokerage account – placing a greater burden on the consumer to prove that transactions are fraudulent.

Geographic Distribution of Attacks: The geographic distribution of external data breach sources continues to show high activity in Eastern Europe (22 percent), East Asia (18 percent) and North America (15 percent). In fact, the 2009 report shows these regions accounted for 82 percent of all external attacks.

Financial Services Industry Takes Big Hit in 2008: Financial services were hit hard in 2008 compromising 30 percent of the breaches analyzed. This industry accounted for more than nine out of 10 of the more than 285 million records compromised.

Growth in International Breaches: The number of investigations handled by the Verizon Business investigative response team outside the U.S. rose to more than one-third of its caseload in 2008. Hard hit areas included the U.S., Canada and Europe while casework continued to increase in Brazil, Indonesia, the Philippines, Japan and Australia.

Recommendations for Enterprises

The 2009 study again shows that simple actions, when done diligently and continually, can reap big benefits.

Based on the combined findings of nearly 600 breaches involving more than a half-billion compromised records from 2004 to 2008, the Verizon Business RISK team recommends:

Change Default Credentials Often. Change user names and passwords on a regular basis and make sure third-party vendors do as well.

Avoid Shared Credentials. Passwords should be unique and should not shared among users or used on different systems.

Review User Accounts. Use a formal process to confirm that active accounts are valid, necessary, properly configured and have appropriate privileges.

Employ Application Testing and Code Review. Web application testing has never been more important.

Patch Comprehensively. Patch completely and diligently. There’s no need to rush.

Assure HR Uses Effective Termination Procedures. Formal, comprehensive employee-termination procedures should be in place for disabling user accounts and removal of all access permissions.

Enable Application Logs and Monitor. Standard log-review policy should be in place. Organizations need to review data beyond network, operating system and firewall logs to include remote access services, Web apps, and databases, among other critical applications.

Define “Suspicious” and “Anomalous.” Know what data is stored and where. Be prepared to defend these critical assets.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a global leader in communications and IT solutions. We combine professional expertise with the world’s most connected IP network to deliver award-winning communications, IT, information security and network solutions. We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees — enabling them to increase productivity and efficiency and help preserve the environment. Many of the world’s largest businesses and governments — including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions — rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com

VERIZON'S ONLINE NEWS CENTER: Verizon news releases, executive speeches and biographies, media contacts, high-quality video and images, and other information are available at Verizon's News Center on the World Wide Web at www.verizon.com/news. To receive news releases by e-mail, visit the News Center and register for customized automatic delivery of Verizon news releases.

Media Contacts: