“Hacktivism” 2012: Verizon’s Take on Data Breaches and How They Can Be Avoided

“Hacktivism” 2012: Verizon’s Take on Data Breaches and How They Can Be Avoided

In an attempt to improve the planning and security efforts of its clients, Verizon released its annual Data Breach Investigation’s Report 2012. Conducted by the Verizon RISK Team in cooperation with the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and the United States Secret Service, the report carefully breaks down and analyzes global data breach statistics from 2011 in an attempt to recommend effective solutions designed to successfully prevent future breaches in 2012. The statistics cited in the report help illustrate how easy it can be for businesses to thwart possible data breaches, and identify which organizations are most vulnerable.

 

The Report analyzes 855 data breach incidents that compromised nearly 174 million records in 2011, and notes that large and small businesses alike are experiencing the second highest data loss total since Verizon’s annual report began keeping track of compromised records in 2004. The Report, which can be downloaded here, gathers its results from first-hand evidence collected during paid external forensic investigations of 765 data breach incidents.

According to the Report, data breach attacks in 2011 were designed to be high volume, low risk attacks against weaker targets, and continued to target trade secrets, classified information, and other proprietary information.

 

Who is exactly behind these data breaches, one may ask? According to this year’s Report:

 

  • 98% stemmed from external agents (+6%)
  • 4% implicated internal employees (-13%)
  • <1% committed by business partners (< >)
  • 58% of all data theft tied to activist groups (commonly known as hactivism)

 

The statistics cited in the Report should cause one to draw a few conclusions: Implicated internal employees continue to decrease in the number of data security breaches while external agents continue to pose the biggest threat to large and small businesses for data breaches.

 

How are these hackers breaching business security systems? Verizon deduced that:

 

  • 81% utilized some form of hacking (+31%)
  • 69% incorporated malware (+20%)
  • 10% involved physical attacks (-19%)
  • 7% employed social tactics (-4%)
  • 5% resulted from privilege misuse (-12%)

 

A large number of these data breaches combined, stole, or guessed credentials to gain access to “backdoors” in order to retain access to businesses’ data records. With a thirty-one percent increase in breaches being a result of some form of hacking, large and small businesses should be more motivated to implement technical measures and employee training. According to Verizon, at least four victims in 2011 were forced to dissolve their businesses as a result of data security breaches.

 

Preventive measures can be taken by businesses who wish to avoid what looks to be an increasingly “hactivist” market. Verizon offers some of the following mitigation suggestions for small and large organizations. For smaller organizations:

 

  • Implement a firewall or ACL on remote access services
  • Change default credentials of POS systems and other Internet-facing devices
  • If a third party vendor is handling the two items above, make sure it is addressing the two points

 

For larger businesses, Verizon suggests:

 

 

These solutions are cost-effective too, with as little as three-to-five percent of preventive measures considered “difficult and expensive.”

 

So why not do your business a favor and step up security measures against data breaches in 2012? It could save your business hundreds of thousands of dollars and possibly the business itself.

 

For additional easy-to-implement cyber security tips for your business, click here.

To learn more about U.S. state and federal cyber laws read:
“A Primer on Cybercrimes In The United States and Efforts to Combat Cybercriminals – 50 State and Federal Cyber Law and Proposed Legislation Survey,” by Fernando Pinguelo and Brad Muller, Virginia Journal of Law and Technology (University of Virginia School of Law), Spring 2011), available here.

 

 

“Virtual Crimes, Real Damages Part II: What Businesses Can Do Today to Protect Themselves from Cybercrime, and What Public-Private Partnerships are Attempting to Achieve for the Nation of Tomorrow, Virginia Journal of Law and Technology (University of Virginia School of Law), Spring 2012, available here.

Zach Arbeitel is a senior at Rutgers University with a B.A. in History and Political Science and an interest in law and technology. Following graduation, he intends to pursue his interests and attend law school.

 

Want to read more articles like this? Sign up for our post notification newsletter, here.

Comments (3):

  1. 174 million records in 2011 is a big number. How to protect global data breach is a big problem.

  2. What I find hard to believe is that “a large number of these data breaches combined, stole, or guessed credentials to gain access to “backdoors” in order to retain access to businesses’ data records.” It seems that this is the sole fault of the organization if they opt to have such a low level of security. If credentials can be guessed, an organization must take it upon themselves to increase their level of security and protect their sensitive data. I believe that this number can be greatly reduced at little cost to the companies that have experienced this data breach by using basic firewall securities and like systems.

  3. It seems to me that we should be highly concerned with the fact that the highest number of breaches by far is coming from external agents. The fact that there has been such an increase in hacking makes me agree with Mr. Arbietel that businesses should be more motivated to implement protective and preventative measures. It was smart of Verizon to include suggestions of ways for businesses to mitigate these breaches. Although these measures may be costly, they seem to be worth it in the long run.

Leave a Reply

  • Find an eLesson

  • Register for Post Notifications

    Subscribe to receive updates whenever a new eLesson is published.

    Manage Subscriptions
  • Let Us Blog Your Event!

    eLessons Learned is fast becoming the site of choice for employers, employees, judges, lawyers, and journalists who are interested in learning more about these areas without being intimidated by the complexity of the topic. In fact, organizations and event coordinators often feature eLessons Learned as their official eDiscovery blog. Fill out our simple registration form to have eLessons Learned be the official blog of your organization or event.

    Register Now
  • Recent Praise

    The blog takes a clever approach to [e-discovery]. Each post discusses an e-discovery case that involves an e-discovery mishap, generally by a company employee. It discusses the conduct that constituted the mishap and then offers its ‘e-lesson’ — a suggestion on how to learn from the mistake and avoid it happening to you.

    Robert Ambrogi

    Legal Tech Blogger and creator of LawSites




    Although I may have missed some, yours is the first article that I have seen addressing Zubulake II. It is often the lost opinion amongst the others.

    Laura A. Zubulake

    Plaintiff, Zubulake v. UBS Warburg


    Click here to see more.
zzzz