• On GameFAQs: The top 10 strangest game bosses
April 15, 2009 5:03 PM PDT

Report: Payment card data was top target in 2008

by Elinor Mills
  • Font size
  • Print
  • 4 comments
Share

More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.

Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.

The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.

PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.

PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.

More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.

This chart shows threat categories by percent of breaches (black) and records (red).

(Credit: Verizon)

Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.

As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.

In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.

During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.

"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection,

Vulnerabilities & attacks

Tags:

data breach,

Verizon,

payment cards,

credit cards

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Youth using phones to harass and spy on partners
PC Tools Internet Security 2010 reviewed
Google Chrome now bundled with Avast
Some Avast users must reinstall flagged files
Defense Dept. pulls software over privacy issues
Microsoft to plug critical IE hole targeted by exploit code
Google wants to unclog Net's DNS plumbing
Avast update falsely flags good apps as malware
Related
Eastern Europeans charged in payment processor hack
Twitter founder formally unveils 'Square' project
RSA reveals details behind re-shipping scam
Another e-tailer named in probe changes course
Buzz Out Loud Podcast 1115: Droid does porn
E-tailers snagged in marketing 'scam' blame customers
Week in review: Microsoft getting lucky with 7?
AMD extends 3D card lead with high-end ATI Radeon HD 5970
Add a Comment (Log in or register) (4 Comments)
  • prev
  • 1
  • next
by moldor April 15, 2009 6:39 PM PDT
And you should see how insecure the Australian company(s) that process CC data are !!! would scare the crap out of you...
Reply to this comment
by nethed April 16, 2009 6:17 AM PDT
Absolutely.. Our own internal research confirms these findings.

Anyone who is even a little confident of their security is generally pretty disappointed when we deliver a report. we ALWAYS find something. Never once has a customer been clean up front.

Some of the comments range from 'oh yeah, forgot about that freeware we installed 2 years ago', to 'my web guy said we were secure'.

Simple scanning greatly reduces the risks of exposures and leaks. our solution makes it simple (and really inexcusable) to not have better security.

Jason - www.54f3.com
Reply to this comment
by garybartlett April 16, 2009 6:24 AM PDT
The funny thing is that I have a solution for this type of problem, but just because you have a great idea doesn't mean it's going to happen, like for me I'm not into the whole patent / start your own business type of guy. As a Senior Network/Security consultant working for one of the largest IT outsourcing companies in the world, I tried to approach them. It went far up the food chain, but more or less they like the idea, but they aren't in the business of manufacturing products... I thought it was my best shot. You'd think it would be easier to approach a company to present an idea than it is...

The best part is that I believe a company could patent my idea, approach the target audience (banking institutions) & get approval & funding to go ahead & make the product before even making any substantial investment. You know who I'd like to get an audience with... EMC, these guys put loads of cash into R&D every year & own RSA SecurID, but getting an audience is not all that likely
Reply to this comment
by TGChic April 19, 2009 6:45 PM PDT
scary stuff, with the hard economic times i think that data breaches are only gonna get worse. take a look at this article on <A HREF="http://www.justaskgemalto.com/en/personal-data/tips/what-should-i-do-if-my-personal-information-has-been-compromised-data-breach">justaskgemalto.com</A> about data breaches, it has some pretty good information on how we can protect ourselves from threats
Reply to this comment
(4 Comments)
  • prev
  • 1
  • next
advertisement

The yogurt makers of tech: Gadgets to avoid

Don't buy these one-trick ponies--unless you like gizmos that gather dust.

Google wants to unclog Net's DNS plumbing

The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET