Verizon releases its 2014 Data Breach Investigations Report

April 23, 2014 |

Verizon has been publishing annual reports of data breaches since 2000.  It is a very useful publication as it quantifies data breaches, security interests both overall and by industry.  It also maps trends and threats.  For those interested in information security and privacy it should be mandatory reading.  If there is any time left in the day the CISCO annual security report is also a very useful resource (found here).  Both are invaluable for privacy practitioners in preparing policies, training programs and protocols following the Privacy By Design methodology to comply with the Australian Privacy Principles in particular and the Privacy Act 1988 in general.

The 2014 Verizon report (found here) states that there have been 1,367 confirmed data breaches with 63,437 security incidents

The Canberra Times has piece on the report, Revamped Verizon security report to help funnel funds into the right holes, provides as follows:

Cyber security threats vary according to industry sector, a report has found.

After analysing more than 63,000 security incidents that took place in 2013, Verizon’s annual Data Breach Investigations Report, used by corporations and governments worldwide as a benchmark of cyber security, or lack thereof, has come to a new conclusion.

The 2014 edition released on Tuesday analysed more than 63,000 incidents and 1361 data breaches as reported by 50 organisations in 95 countries, including computer emergency response teams (CERTs) and law enforcement agencies.

Rather than isolating one or two main attack vectors, the analysis was able to pinpoint threats per industry, which the report co-author, senior data analyst Jay Jacobs, said would help those making security spending decisions.

 The report found that those administering hotels and other accommodation, for example, ought not to worry about credit card skimming or other scams, because 75 per cent of the attacks levelled against them were aimed at point-of-sale terminals.

Mining companies, on the other hand, should concentrate their security efforts on guarding against espionage – the target of 40 per cent of attacks levelled at the sector – followed by internal misuse of information (25 per cent).

“It’s not surprising when you stop to think about it, but, if you look at the advice people get in the industry, it’s a very general, ‘do this, everybody’,” Jacobs told IT Pro. The whole point now is people can … hopefully prioritise their security spend.”

The report, originally prepared by the American telco using intelligence derived from its own clients, has grown to analyse data losses reported by myriad partners. This year it more than doubled in size to include security incidents worldwide, whether data was lost or not.

The company behind the report does not sell security products, but Jacobs can see how computer security vendors may use this year’s report to tailor, or repackage, products to different verticals.

“Maybe they’ll be packaged differently, but some of the things you can’t go and buy. Espionage, for example; trying to prevent an attack is very difficult to do. They need to [concentrate] on detection.”

Jacobs cautioned against reading too much into the high number of incidents of theft or loss of data in healthcare (40 per cent of all incidents in the sector), and misuse and human error in the public sector (58 per cent in total). These sectors have mandatory reporting resulting in a large number of relatively insignificant incidents.

Denial-of-service attacks and attacks levelled at web applications such as content management systems were found to be relevant to most sectors.

“In web apps, we saw attackers simply scanning the internet for vulnerabilities and dropping some software into it to report back to a command and control infrastructure.”

Web app attacks were spread across the information, media, education, utilities and trade sectors.

Denial-of-service attacks were mostly levelled at management companies, professional service firms, retail and media websites.

Meanwhile, the Prolexic Q1 2014 Global DDoS Attack Report report also released on Tuesday a 47 per cent increase in distributed denial-of-service attacks compared with a year ago.

It noted high-volume, infrastructure-based attacks were made possible by the availability of easy-to-use DDoS tools in hacking marketplaces.








One Response to “Verizon releases its 2014 Data Breach Investigations Report”

  1. Verizon releases its 2014 Data Breach Investigations Report | Australian Law Blogs

    […] Verizon releases its 2014 Data Breach Investigations Report […]

Leave a Reply