Data thieves target smaller prey

Best not to be the slowest runner, Verizon reports.

Recent high-profile arrests of cybercrime “kingpins” may have prompted data thieves to aim for smaller hauls of tens of thousands – instead of millions – of records at a time.

According to Verizon Business’s 2011 Data Breach Investigations report (pdf), launched today, organisations with between 11 and 100 staff suffered a “virtual explosion” of data breaches in the past year.

Cybercriminals were found to target hospitality and retail businesses, which tended to be “smaller, softer, and less reactive targets” than financial institutions, Verizon reported.

“Instead of hunting for big game, attackers seem to be hunting small game now,” the firm’s Asia-Pacific managing principal of Investigative Response Mark Goudie told iTnews.

“From a risk point of view, would you rather be hunting lions and tigers, or would you rather be hunting rabbits?”

Verizon speculated that criminals were opting to “play it safe” in light of the recent arrests of payment card data trafficer Vladislav Horohorin, and TJX hackers Albert Gonzalez and Maksym Yastremskiy.

Despite smaller hauls, data theft remained a lucrative business, Goudie said, explaining that the traditional dynamics of demand and supply had driven up the market price of stolen information.

“The amount of data that’s been stolen has dropped but compromise events are up,” he said, noting that Verizon’s Asia Pacific caseload of data breach investigations had doubled since April 2010.

Although he declined to disclose staffing numbers for competitive reasons, Goudie said Verizon Business was continuing to grow locally after having tripled the size of its Asia Pacific data breach investigations team last year.

Verizon attributed many breaches to “basic hacks”, such as SQL injections, or “one or two obvious holes”, such as ineffective or weak passwords and credentials.

More than 99 percent of records were found to be stolen by “external agents” – hackers and malware writers using “standardised, automated and highly repeatable attacks”.

Criminals were also found to be looking beyond stealing payment card information – which topped the hacker wish list in 2009 – to target accounts, authentication credentials, intellectual property and other sensitive data.

Goudie urged organisations to consider upgrading software and changing their behaviours and systems to avoid data breaches.

Since cybercriminals tended to opportunistically target “low-hanging fruit”, he said organisations needed only to be better protected than most others to avoid being targeted.

“Across Asia-Pacific, almost invariably, a number of small issues are overlooked by IT security [teams] and left unaddressed for a substantial period of time,” he said.

“If there are six people being chased by a bear, it’s best not to be the slowest runner.”

Verizon’s 2011 report involved 761 data breach cases (3.8 million stolen records) that took place in 2010, and was produced in collaboration with the US Secret Service and Dutch National High Tech Crime Unit.

Goudie called for greater collaboration between public and private sector IT security experts, but declined to comment on any discussions with Australian authorities.

He also declined to argue for or against data breach notification laws that were recommended by the Australian Law Reform Commission in 2008.

“A rash of organisations started disclosing information about data breaches because of mandatory disclosure laws [in some US states],” he said. “There was consumer outrage.

“Maybe [the laws] would have some effect [on improving information security], who knows. Many of these things will take up to ten years to play out.”

Westfield, Vodafone Hutchison Australia, and soap retailer Lush were among the Australian companies that publicly suffered a data breach during the past year.

Vodafone slipped from 35th to 59th on research consultancy AMR’s 2011 Corporate Reputation Index, released this week.

AMR’s reputation practice director and general manager Oliver Freedman said the drop could not be directly attributed to any specific outages or issues.

However, he speculated that “consumers had concerns about the telco’s openness and transparency while dealing with its recent technical issues”, highlighting drops in its ‘products’ and ‘governance’ ratings this year.