Cyber-criminals and gangs have been upping the scale of their efforts in recent years and we have seen some huge attacks of theft of user records that are then sold on the black market for a profit – whether those records are login details, credit card numbers, or personal information. 2011, however, saw the rise of “hacktivism” with LulzSec and then Anonymous taking centre stage (with some of the same figures involved) – and it appears they stole more records.
This information comes courtesy of Verizon’s Data Breach Investigations Report [PDF] who note that 100 million of the 174 million records stolen last year were pinched by hacktivists. The year saw a big change in actions from the hacktivist crowd – no longer content with simply defacing websites with a political message, now hackers are taking on large corporations and governments, stealing private information held by them and distributing it for free on the web. This has two effects – firstly to embarrass the companies and organisations involved, and secondly to keep them on their toes – when they do something that works against the freedoms of the web or its netizens, they may have some payback to deal with. The idea is this might pressure these companies to be a little more thoughtful in their actions in the future.
LulzSec and Anonymous don’t seem to take any prisoners and have gone after Sony, HB Gary, the UK’s Serious Organised Crime Agency (SOCA), and many many more. The effect the actions of this small group of talented individuals (or misguided individuals depending on your outlook) has demonstrated that the web is still a place where just because a corporation is huge with deep pockets – they are not impossible to take down. The web is still an unruly frontier where anything is possible, and that is down to the inventiveness and ingenuity of engineers and hackers for the last couple of decades, and money still cannot guarantee protection. Gated communities are impossible.
The disparity in number of records stolen between the two sides of the internet underground may, however, also be down to under-reporting of criminal activity. Firstly, unlike hacktivists who release the records online almost immediately after their theft, criminals silently hold onto the records until they can sell them – they certainly don’t inform the companies and organisations involved as then people could act to cancel their cards and change their passwords – making the records valueless. Additionally, there is a long history of banks and other organisations not reporting these thefts to the police and instead covering the damages themselves to avoid the bad PR that a hack would expose them to.
- Nearly 70% of breaches originated in Eastern Europe
- 94% of data compromised involved servers rather than user devices, people, data stored offline or network infrastructure
- 98% of attacks were conducted by external groups such as activists, organized crime, former employees and organizations sponsored by foreign governments – a reduction of insider breaches on last year
- Hacking was a factor in 81% of data breaches and 99% of data lost
- Malware was used in 69 per cent of breaches and was a factor in 95 per cent of compromised records
- 92% of breaches were discovered by third parties rather than the organization that lost the data
- 85% of breaches took two weeks or more to discover
The biggest take-away from this report is that Verizon deemed 97 per cent of the attacks avoidable without difficult or expensive countermeasures – with many of the hacks down to lack of planning, understanding, or basic firewall installations. If you don’t want to be on next year’s list, then its time to do a data security review.