Retailers and restaurants accounted for 24% of compromised data last year, a new study says.
Retailers face numerous threats to confidential consumer data that criminals can use for online and offline criminal activities, Verizon Enterprise Solutions says in a new report compiled from dozens of international sources.
The study notes that 24% of the 621 breaches—which include criminals using various hacking techniques, malicious software downloaded via e-mail and accessing networks with log-in credentials stolen from authorized network users—last year affected multichannel retailers and restaurants, second as a group only to financial organizations, at 37%.
Financial organizations’ high percentage is largely because of ATMs. ATMs account for the most common asset used to steal data because criminals can grab it without breaking into a computer network, the report says. Such ATM data theft uses what’s known as ATM skimming techniques, which use software that criminals install in ATM card swipe mechanisms to capture account numbers; ATM skimming also uses hidden cameras to record the personal identification number that a consumers enters on the ATM keypad, Verizon says.
However, for data compromised through network intrusions, retailers account for the largest percentage of breaches, at 21.7%, followed by manufacturers at 12.2%, the report says.
The “Verizon 2013 Data Breach Investigative Report” is based on data compiled from 18 government and independent organizations from several countries, including the U.S. National Cybersecurity and Communications Integration Center, the U.S. Secret Service and the U.S. arm of business consultancy Deloitte Development LLC.
Criminals often attack store point-of-sale systems as a way to either infiltrate a retailer’s computer network or to steal account data right at the store checkout counter, says Suzanne Widup, senior analyst on the risk management team at Verizon Enterprise Solutions, which provides security services and consulting. With some retailers deploying web-based point-of-sale systems, criminals search for ways to infiltrate them—either to directly access customer account databases or to install malware, such as key-logging software designed to capture account data as it is displayed on a computer screen. “Anything that has an IP address is a target,” she says. Verizon notes that this is adding to other forms of infiltrating POS system data, such as by hacking into wireless networks that retailers use to transfer POS data from checkout terminals to back-office servers. Verizon advises that retailers need to ensure that POS networks, as well as all company computer networks and wireless netowkrs, are routinely patched with updated security software to thwart potential breaches.
Once criminals find a way to breach a particular type of POS system, they’ll often look for other retailers with the same system to attack, she says. After they steal data, criminals typically sell it to other criminals or use it to make fraudulent online transactions, she says.
Verizon’s study found that the number of account records breached for the past nine years ranged from tens of millions to hundreds of millions in any one year. In 2012, for example, it recorded 44.8 million account records compromised, down from 174.5 million in 2011 but up from 3.9 million in 2010. The wide variance is partly due to organizations not always knowing, or reporting, how many records are compromised in an attack, Verizon says. The number of 44.8 million records breached in 2012, for example, may understate the true extent of data compromise as only 15% of organizations victimized could determine how many records were breached, Verizon says. It adds that numbers can also swing widely from year to year because just a few large breaches in any one year can compromise many records.
Even with only 15% of breaches revealing complete data loss, however, the study still show that the most common type of data targeted in breaches was payment card account data, at 61% of compromised data, followed by personal credentials, such as user names and passwords, at 38%. Criminals “favor payment and personal information that can easily be converted into cash,” the study says.
Verizon Enterprise Solutions is a unit of Verizon Communications Inc.