The report was written by the Verizon Business Risk team using first-hand evidence collected from the firm's data breach investigations over 2008.
Three-quarters of breaches resulted from external threats, the report found, while just 20 per cent were caused by insiders. This is despite the message from most security firms that the inside threat is more dangerous than that posed from the outside.
The sheer number of credit card and other details being compromised has driven their price down on the underground economy, forcing criminals into new tactics, explained Matthijs van der Wel, managing principal of forensics at Verizon Business.
The average price for a piece of stolen card information has dropped from around US$10 in 2007 to US50c today.
"For the criminals it's becoming less profitable so they're looking for new ways to make money, which means targeting financial institutions much more, looking for richer data," said van der Wel.
"Attackers have to do a lot more work to get their information now. They're intercepting the PINs, which has been theorised before but now we're seeing it. "
To this end, criminals are creating customised 'memory scraping' malware to harvest customer PINs entered at ATMs from banks' servers.
Yet despite the increasingly creative ways some criminals are compromising customer data for sale on the black market, the majority of incidents appear to have been preventable, according to the report. For example, 81 per cent of affected organisations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached.
Some 53 per cent of stolen data records came from organisations using shared or default credentials, and 83 per cent of hacks were considered avoidable through simple or intermediate controls.
Van der Wel recommended firms to check access controls regularly, change default credentials, keep up to date with patches, and test applications for vulnerabilities.
"You need to ask yourself 'Do I need to store this data?'" he said. "Many organisations today are data hungry, but if you don't store the data you'll reduce your risk."