If there’s one thing that scientists and statisticians both hate, its weird data. And that’s what the folks at Verizon were dealing with when they tallied the results of their 2011 Data Breach Report which found a stunning 97% drop in the number of lost records, even as the number of reported breaches rose precipitously.
The conflicting numbers had Verizon executives scratching their heads to coax a message out of statistics that seem both discouraging and wildly encouraging at the same time. But some outside security experts with hands on experience investigating data breaches say the report’s unusual findings only underscore the difficulty of tracking the data theft crimes across the public and private sectors.
The Verizon 2011 Data Breach Investigations Report (DBIR) is the third annual report issued by Verizon and the U.S. Secret Service (USSS). It covers incidents of data breaches that occurred in calendar year 2010 and comprises incidents investigated by Verizon’s professional services division and those reported to the USSS. The report’s tally of stolen records is a oft-cited benchmark of the prevalence and seriousness of cyber attacks.
That number has been on a steady – even precipitous decline since the first Verizon DBIR in 2008. After peaking in that first year at 361 million, the number of total records compromised dropped to 144 million in 2009 and just 4 million in 2010. That leaves Verizon in the uncomfortable position of having to try to explain – rather than merely interpret – the results of its own report.
On that score, Wade Baker, Verizon Business’ Director of Risk Intelligence said there are any number of theories that could explain the collapse in the number of reported compromised records – from random caseload variation, to an absence of huge data breaches such as the hack of retailer TJX in 2010.
Verizon Business’s leading theory, however, is that prosecution of data thieves is working as intended. The masterminds, like TJX hacker Albert Gonzalez, who might actually carry out such large breaches are “in jail or on the run because they’re being pursued,” said Wade. Another possibility: criminals are shying away from high profile targets and more modest amounts of data, so as not to prompt a full scale investigation.
The data from 2010 also flip flopped trends identified in prior years in ways that ring a sour note. Verizon reported double digit percentage decreases in the percentage of data breaches that stem from insider attacks (just 17% of reported cases, a 31% decline) and the number of breaches that stem from privilege misuse (again – 17% in 2010, down fom 48% in 2009). Even the number of attacks that employed social engineering, which Verizon saw decline 17% to just 11% of reported incidents, despite high profile incidents of data theft secondary to social engineering attacks -notably at security firm HBGary and EMC’s RSA Security Division.
Incongruously, Verizon reported a record high number of reported breaches in 2010: 761, up from just 141 in 2009. Wade said that the bulk of new reports came by way of the U.S. Secret Service, which added information on more thand 600 incidents to the DBIR. In 2009, the USSS data was more limited in scope, said Wade.
Chris Wysopal of application security firm Veracode, who was briefed by Verizon ahead of the release of the report, said that Verizon’s report was interesting, but puzzling, and may indicate that Verizon’s customer base – rife with banking and financial services customers – is becoming less and less representative of overall data breach activity.
“The credit card hacking world, which is the majority of Verizon’s customers, is becoming less of an accurate sample of the data breach world at large,” he said.
While the U.S. Secret Service data might counter that, those records – also – are more likely to center on banks, credit unions and financial services firms involved in monetary transfers than FBI data, which would encompass a wider range of victims.
Recent breaches like the theft of customer name and e-mail information from e-mail marketing firm Epsilon and the hack of engineering group IEEE already far surpass Verizon’s 2011 DBIR numbers, but those hacks might not show up in Verizon’s numbers, Wysopal said.
Diana Kelley, a Principal Analyst with SecurityServe in Amherst, New Hampshire, said she was surprised by Verizon’s reports about the decline in indiser attacks.
“That was a surprise to me. I talk to companies all the time, and I’m still hearing a lot about insiders,” she said. Those might just be cases of accidental or inadvertent data loss, rather than malicious insiders, Kelley said – but the problem is real.
Finally, cyber criminals are getting better at avoiding detection, said Baker. “We know victims are terrible at seeing these,” he said. Even if they suspect data may have been compromised, criminals are getting better at covering their tracks after a hack, making it hard to verify a breach, he said.
Wysopal said his experience makes him less sanguine that the problem of data theft has gone away.
“I only see slight improvement in the state of breaches in general,” he wrote in an e-mail. “The mega breaches seem to be down but there are still some fairly large recent ones such as State of Texas at 3.5M and Hyundai Capital at 420K in April. And lets not forget the mega email breaches of the last few months, including 4.9 email addresses, names, and VINs at Honda.”