Study: Data breaches use decades-old techniques, cost millions


New York – Cyberattacks are becoming increasingly sophisticated, but that many criminals still rely decades-old techniques such as phishing and hacking. According to the 2015 Verizon Data Breach Investigations Report, the bulk of the cyberattacks (70%) use a combination of these techniques and involve a secondary victim, adding complexity to a breach.

Another troubling area singled out in this year’s report is that many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007, a gap of almost eight years.

Verizon predicts that the cost of a breach involving 10 million records will fall between $2.1 million and $5.2 million (95% of the time), and depending on circumstances, could range up to as much as $73.9 million. For breaches with 100 million records, the cost will fall between $5 million and $15.6 million (95% of the time), and could top out at $199 million.

Verizon security researchers explained that the bulk (96%) of the nearly 80,000 security incidents analyzed this year can be traced to nine basic attack patterns that vary from industry to industry. The nine threat patterns are: miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions; and payment card skimmers.

This year’s report found that, 83% of security incidents by industry involve the top three threat patterns, up from 76% in 2014. In retail, 88% of attacks occur in three major categories: denial of service (44%), crimewave (23%) and point-of-sale intrusion (21%).

“Seventy percent of all denial of service incidents involved a secondary victim,” Bob Rudis, managing principal of the Verizon Security Team and a report co-author, said in an exclusive interview with Chain Store Age. “Attackers may steal legitimate credentials through phishing, log in, access servers and steal what they want.”

In addition, Rudis said attackers use “RAM scrapers” to steal legitimate credentials at the point of sale and log in to obtain customer credit card numbers.

“With single factor identification, there is no alert until the credit card numbers are used,” said Rudis.

Although attackers often break into networks in hours or even minutes, it usually takes months for retailer to detect attacks. In 60% of breaches, attackers are able to compromise an organization within minutes.

“There is a disparity between how good the attackers are compared to the capabilities on the right side,” said Rudis.