Corporate data too lucrative not to mine

An "astonishing" number of electronic corporate records fell into the hands of the wrong people last year although such incidents could have been easily prevented, a new report released Wednesday has revealed.

Around 285 million electronic records were breached in 90 specific cases, according to the 2009 Data Breach Investigations Report (PDF), which covers cases investigated by Verizon Business.

The first edition of the report, published last year, presented intelligence from data collected between 2004 and 2007. Then, only 230 million records breached from among 500 cases.

One-third of 2008 breaches occurred outside of the United States, the report said. In addition, the financial services sector accounted for 93 percent of all compromised records.

In a phone interview with ZDNet Asia Tuesday, Mark Goudie, Asia-Pacific managing principal for forensics at Verizon Business' security solutions division, noted that the findings in 2008 were "an astonishing turnaround" from those released in the previous year's report.

The 2008 statistics could be even higher, Goudie added, as not every data breach is reported or discovered. In the report, 70 percent of the cases were disclosed by third parties.

Many of these compromises could easily have been avoided, Goudie pointed out. "What's typically happening is that there's a simple oversight…the organization has not removed default credentials for a Windows server or Unix server or sometimes an appliance," he explained. SQL injections for instance, added Goudie, are present in large percentages of data breaches even though they are "very preventable".

In addition, there were a number of warning signs in place for organizations that point to an external breach in their corporate networks, which if heeded, would greatly reduce the potential for attacks. These include new software installations and activities on unusual ports, he said.

While he did not indicate the number of breaches specific to Asia, Goudie noted that by nearly one-in-three of the attacking IP addresses tracked in the breaches were located in the region.

According to him, however, Verizon has not observed anything "that agrees with the hype surrounding state-sponsored attacks from Asia".

Also noteworthy was the fact that the number of highly complex data breaches has jumped to 28 percent of all incidents, said Goudie. In the last report, such attacks made up 17 percent of all breaches. Highly sophisticated attacks could involve customized malicious code that antivirus software may not be able to detect, or the use of different complicated methods.

In terms of records breached, the picture was more alarming: compromises with a higher degree of complexity accounted for 95 percent. The evolution in data breach methodology, he added, points to organized crime, a trend consistent with law enforcement findings.

Enterprises need to be vigilant in prevention and step up their capability to respond to incidents, said Goudie. "Organizations should define suspicious anomalies and then look for them. What we're saying is that you need to know what records are in the organization and what a data breach would look like," he pointed out.

Other findings highlighted in Verizon's report:

•  Online data was compromised in 94 percent of the breaches.
•  Payment card data was the most common type of information breached, accounting for 81 percent of cases and 98 percent of records.
•  Breaches went undiscovered for a long time--in 49 percent of the incidents, the impacted organization took months to figure out there had been a compromise.
•  About 20 percent of the breaches were caused internally, a slight increase from last year's 18 percent.
•  For internal lapses, there were as many administrators culpable for breaches as end users.