Report: Payment card data was top target in 2008

More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.

Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.

The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.

PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.

PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.

More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.

This chart shows threat categories by percent of breaches (black) and records (red).

(Credit: Verizon)

Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.

As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.

In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.

During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.

"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."

[moldor]

And you should see how insecure the Australian company(s) that process CC data are !!! would scare the crap out of you...

[nethed]

Absolutely.. Our own internal research confirms these findings.

Anyone who is even a little confident of their security is generally pretty disappointed when we deliver a report. we ALWAYS find something. Never once has a customer been clean up front.

Some of the comments range from 'oh yeah, forgot about that freeware we installed 2 years ago', to 'my web guy said we were secure'.

Simple scanning greatly reduces the risks of exposures and leaks. our solution makes it simple (and really inexcusable) to not have better security.

Jason - www.54f3.com

[garybartlett]

The funny thing is that I have a solution for this type of problem, but just because you have a great idea doesn't mean it's going to happen, like for me I'm not into the whole patent / start your own business type of guy. As a Senior Network/Security consultant working for one of the largest IT outsourcing companies in the world, I tried to approach them. It went far up the food chain, but more or less they like the idea, but they aren't in the business of manufacturing products... I thought it was my best shot. You'd think it would be easier to approach a company to present an idea than it is...

The best part is that I believe a company could patent my idea, approach the target audience (banking institutions) & get approval & funding to go ahead & make the product before even making any substantial investment. You know who I'd like to get an audience with... EMC, these guys put loads of cash into R&D every year & own RSA SecurID, but getting an audience is not all that likely

[TGChic]

scary stuff, with the hard economic times i think that data breaches are only gonna get worse. take a look at this article on <A HREF="http://www.justaskgemalto.com/en/personal-data/tips/what-should-i-do-if-my-personal-information-has-been-compromised-data-breach">justaskgemalto.com</A> about data breaches, it has some pretty good information on how we can protect ourselves from threats