Global data breach numbers through the roof

John Kavanagh
The number of data breaches where a data loss was confirmed more than doubled in 2013, compared with the previous year, according to Verizon's latest annual global cybercrime survey.

Attacks on payment systems featured prominently in the report. Of the 1367 breaches analysed, 14 per cent were point of sale intrusions and nine per cent were card skimming attacks.

Verizon described 2013 as "the year of the retailer breach". Among the breaches, a US hardware chain, Harbor Freight, had the payment records of 200 million customers stolen and department store chain Nordstrom discovered skimmers on its cash registers.

The most common breaches were web application attacks, which made up 35 per cent of all breaches, followed by cyber-espionage (22 per cent) and insider misuse (eight per cent).

Verizon's data is based on its own forensic work, as well as contributions from law enforcement agencies, government cyber security centres and service providers. The Australian Federal Police and CERT Australia are contributors.

Verizon's managing principal of global investigative response, Chris Novak, said the big increase in breaches reflected that fact that criminal groups were getting more sophisticated in their approach to cybercrime and tended to collaborate with each other to share resources.

Speaking at the PCI Security Standards Council conference in Sydney yesterday, Novak said: "When a gang gets access to a victim it will sell that access to others."

Novak said cyber criminals have been known to use conventional customer relationship management systems to analyse stolen data and create customer profiles.

They have also been known to patch unprotected vulnerabilities in corporate data systems after they have introduced their malware, to keep other cyber criminals out.

According to the report, the businesses most commonly affected by point of sale intrusions are restaurants, hotels and grocery stores.

The majority of card skimming attacks occurred at ATMs and petrol pumps.

The general manager of the PCI Security Standards Council, Stephen Orfei, said the organisation's goal was to have tokenisation and encryption technology deployed at all stages of the payment chain so that even if the data is stolen, it could not be used.

"The end game is to devalue the data," Orfei said.

The PCI Security Standards Council is a global self-regulatory body that sets standards and technical requirements for payments systems. American Express, Visa, MasterCard, Discover Financial Services and JCB International were its founding members.

Orfei said the council was creating a list of approved encryption and tokenisation systems for its members.