A tiny but motivated band of ‘hacktivists’ are supplanting professional criminals as the biggest single data breach threat to large enterprises, an analysis of hundreds of confirmed incident reports has found.
On the face of it, the numbers in Verizon’s 2012 Data Breach Investigations Report (which covers 2011) suggest that hacktivism is more of a nuisance than a major threat, accounting for only 3 percent of the 855 recorded attacks looked at across several countries.
But despite the modest volume of attacks, hacktivist incidents often lead to far more spectacular losses. Verizon found that from a total of 174 million records (individual database entries as well as documents) compromised in the 855 incidents, 100 million were stolen by hacktivists.
This means that hactivism is a theme in only 3 out of every 100 incidents, but nearly six out of ten of the actual records that are compromised.
This finding accords with anecdotal evidence in a year that saw several large data breaches, most infamously Sony’s loss of 77 million PlayStation Network customer account records in April 2011.
“This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organisations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined,” the report said.
The point about hacktivists is that with an attention-seeking agenda, they are the very opposite of the professional criminal in the game for profit. For hackers motivated by a dislike of a particular company, the more records stolen and leaked, the better. Criminals prefer smaller thefts that are less likely to be detected.
“It used to be more about website defacement and maybe denial-of-service,” said Verizon research and intelligence director, Wade Baker of the hacktivist tookit. “[Now] activists are more interested in the amount of embarrassment they can cause.”
What of the professional criminals? As larger companies have better protected themselves, criminals have moved on to the large mass of smaller companies that have yet to invest in security.
“Criminals take smaller bits of data over hundreds of thousands of businesses,” said Baker.
If large companies are generally investing in better security is the data breach issue getting better or worse?
“I don’t have a simple answer to that one.”
Although only a snapshot of the data breach problem – the vast majority of such attacks go unrecorded and might not even be detected in the first place – the sources used by the company are high-level enough to lend the report credibility in its overall conclusions.
Verizon tallied its data breaches from a variety of sources in addition to cases worked on by Verizon itself; the US Secret Service (USSS), the UK’s Police Central e-Crime Unit (PCeU) , the Dutch National High Tech Crime Unit (NHTCU), the Irish Reporting & Information Security Service (IRISSCERT), the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISSCERT).
The EU is expected to implement a 24-hour Data Breach Directive in the near future, which would make reporting of consumer data a legal requirement across the 27-nation economic area.