A Consolidated View of Data Breaches in 2012 – Part 1

It’s that time of year again where we try to make sense of all the new research and statistics. Today, I give you the Trustwave 2013 Global Security Report which analyses 400 data breach investigations (compared to 300 in 2011) across 29 countries (compared to 18 in 2011). Unsurprisingly, 96% of the breaches involved the theft of customer records (payment card data, PII, email addresses), compared to 89% in 2011. Closer to home, this is confirmed by the CIFAS Fraudscape report published in March 2013, where, whilst total fraud in the UK only showed a 5% increase since 2011, abuse of identity fraud increased by a whopping 17.1%, correlating to the Trustwave report showing that out off all client-side attacks observed, 61% targeted Adobe Reader users via malicious PDFs, clearly pointing to social engineering.

Trend alert…

In 2012, 78% of the case load (from 85.3% in 2011) originated from the Food & Beverage, Retail and Hospitality industries (see last year’s report), with notable increases in Financial Services and Not For Profit organisations (other):

Percentage of breaches per sector – Trustwave GSR 2013

Over the past few years, Food & Beverage and Retail have been almost interchangeable due to the similarity of their infrastructure, but it is good to note the overall reduction from 77.3% in 2011 to 69% in 2012 for both sectors. We are possibly starting to see better practices (better POS security architecture and encryption) in these industries, but criminals continue to focus on these due to the sheer volume of cards and PII they hold. This correlates to a significant rise in automation and persistency of attacks with targeted malware, specifically generic memory scraping which accounted for 49% of all cases for which the associated malware had identifiable data collection functionality (and that is also the whole point of the law suit Genesco filed against Visa). Increased awareness of the need to secure stored information has also meant that 60% of data harvesting methods are aimed at data in transit.

New for 2012 is the increase in mobile malware with a huge 400%. However, very few of the Trustwave forensic samples involved mobile devices which points to a lack of visibility of mobile devices within organisations. Trustwave also list their top 10 mobile vulnerabilities, which I guess will further inform the proposed OWASP mobile top 10 currently in development.

Note: whilst in 2011 more than one-third of breached entities in Food and Beverage, Retail and Hospitality targeted businesses operating franchise models, the 2012 report case load doesn’t give any indication as to the evolution of this trend.


Who, me?… Or the case for incident response

In 2012, 76% of organisations were notified of breaches by external entities (Regulatory, Law Enforcement, Third Party, Public) compared to 84% in 2011:

Breach Detection – Trustwave GSR 2013

So does this mean that we’re getting better at incident response? Well, I think so on two counts:

Firstly, the March 2012 Symantec sponsored Ponemon Cost of a Data Breach Study (UK) seems to think so by highlighting that whilst the cost per compromised record increased from £71 in 2010 to £79 in 2011, the organisational costs decreased by 8% from £1.9M to £1.75M per breach suggesting that organisations have improved their performance in both preparing for and responding to a data breach (and the findings revealed that fewer records were being lost, with less customer churn). Other studies have found that the cost of a data breach is increasing, and this is perhaps symptomatic of the fact that attacks are now far more targeted. So while self-detection is improving, those that remain blissfully unaware (see earlier post) are facing higher costs to the increased sophistication of attack delivery and targetting. Criminals continue to automate the process of finding victims (through the identification of basic vulnerabilities) and extracting valuable data which lowers the cost of performing attacks, which in turn lowers the minimum yield for a victim to be of interest.

Secondly, whilst the average time from initial breach to detection was 7 months in 2012, the timeline from intrusion to containment has improved significantly over the previous year, with the majority of breaches being detected within 1 year, with 9% detected within 1 month (and even 5% within 10 days) as the chart below suggests:

Timeline of Intrusion to Containment – Trustwave GSR 2013

There are a few more goodies in the Trustwave GSR for this year, including email, passwords, third parties and some international pespectives, but I will leave that for the second part of this post.

Until next time…

About Neira Jones

With more than 20 years Financial Services experience, Neira is currently Head of Payment Security at Barclaycard where she is responsible for security compliance of circa 100,000 customers & 3rd parties. She has received the Information Security Person of the Year Award in April 2012 from SC Magazine at the same time as her team scooped up the prestigious SC Magazine Award for Information Security Team of the Year for the 2nd year in a row.

Not content with this, February 2012 saw Barclaycard winning two awards at the Merchant Payments Ecosystem conference for “Data Security” & “Merchants” for successfully steering Barclaycard and its customers through the changes in payment security, and in particular with the PCI DSS (Payment Card Industry Data Security Standard). She is a member of the Infosecurity Europe Hall of Fame and has been on the PCI Security Standards Council Board of Advisors since 2009. 

Follow Neira on Twitter:@NeiraJones