Data thieves target smaller prey

Powered by SC Magazine
 

Best not to be the slowest runner, Verizon reports.

Recent high-profile arrests of cybercrime “kingpins” may have prompted data thieves to aim for smaller hauls of tens of thousands – instead of millions – of records at a time.

According to Verizon Business’s 2011 Data Breach Investigations report (pdf), launched today, organisations with between 11 and 100 staff suffered a “virtual explosion” of data breaches in the past year.

Cybercriminals were found to target hospitality and retail businesses, which tended to be “smaller, softer, and less reactive targets” than financial institutions, Verizon reported.

“Instead of hunting for big game, attackers seem to be hunting small game now,” the firm’s Asia-Pacific managing principal of Investigative Response Mark Goudie told iTnews.

“From a risk point of view, would you rather be hunting lions and tigers, or would you rather be hunting rabbits?”

Verizon speculated that criminals were opting to “play it safe” in light of the recent arrests of payment card data trafficer Vladislav Horohorin, and TJX hackers Albert Gonzalez and Maksym Yastremskiy.

Despite smaller hauls, data theft remained a lucrative business, Goudie said, explaining that the traditional dynamics of demand and supply had driven up the market price of stolen information.

“The amount of data that’s been stolen has dropped but compromise events are up,” he said, noting that Verizon’s Asia Pacific caseload of data breach investigations had doubled since April 2010.

Although he declined to disclose staffing numbers for competitive reasons, Goudie said Verizon Business was continuing to grow locally after having tripled the size of its Asia Pacific data breach investigations team last year.

Verizon attributed many breaches to “basic hacks”, such as SQL injections, or “one or two obvious holes”, such as ineffective or weak passwords and credentials.

More than 99 percent of records were found to be stolen by “external agents” – hackers and malware writers using “standardised, automated and highly repeatable attacks”.

Criminals were also found to be looking beyond stealing payment card information – which topped the hacker wish list in 2009 – to target accounts, authentication credentials, intellectual property and other sensitive data.

Goudie urged organisations to consider upgrading software and changing their behaviours and systems to avoid data breaches.

Since cybercriminals tended to opportunistically target “low-hanging fruit”, he said organisations needed only to be better protected than most others to avoid being targeted.

“Across Asia-Pacific, almost invariably, a number of small issues are overlooked by IT security [teams] and left unaddressed for a substantial period of time,” he said.

“If there are six people being chased by a bear, it’s best not to be the slowest runner.”

Verizon’s 2011 report involved 761 data breach cases (3.8 million stolen records) that took place in 2010, and was produced in collaboration with the US Secret Service and Dutch National High Tech Crime Unit.

Goudie called for greater collaboration between public and private sector IT security experts, but declined to comment on any discussions with Australian authorities.

He also declined to argue for or against data breach notification laws that were recommended by the Australian Law Reform Commission in 2008.

“A rash of organisations started disclosing information about data breaches because of mandatory disclosure laws [in some US states],” he said. “There was consumer outrage.

“Maybe [the laws] would have some effect [on improving information security], who knows. Many of these things will take up to ten years to play out.”

Westfield, Vodafone Hutchison Australia, and soap retailer Lush were among the Australian companies that publicly suffered a data breach during the past year.

Vodafone slipped from 35th to 59th on research consultancy AMR’s 2011 Corporate Reputation Index, released this week.

AMR’s reputation practice director and general manager Oliver Freedman said the drop could not be directly attributed to any specific outages or issues.

However, he speculated that “consumers had concerns about the telco’s openness and transparency while dealing with its recent technical issues”, highlighting drops in its ‘products’ and ‘governance’ ratings this year.

Copyright © iTnews.com.au . All rights reserved.


Data thieves target smaller prey
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1428

Vote