Traditionally known for defacing websites and knocking them offline, so-called hacktivists stepped up their game last year and were responsible for a majority of data stolen in breaches, according to an annual study from Verizon released today.
The company's “Data Breach Investigations Report” (PDF) found that politically motivated intruders, whose goal is to name-and-shame organizations with which they morally disagree, caused just two percent of the incidents studied, but were responsible for 58 percent of the stolen information. That sits as a notable contrast to previous years, when financially motivated criminals were responsible for the bulk of the hijacked booty.
“Activists actually stole more data than organized crime last year, which we thought was interesting,” said Chris Porter, Verizon's senior security analyst and co-author of the report.
The study, now in its fifth year, analyzed 855 breaches from caseloads at Verizon, the U.S. Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting and Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.
While malware was involved in 69 percent of the incidents, hacktivists, such as LulzSec and Anonymous, tended not to use malicious code, unlike nation-state adversaries, for example.
“They are more concerned about gaining access and keeping access,” Porter said. “But activist groups are not trying to maintain that persistent access. They're looking to get into the organization and embarrass the company. It's much more of a smash-and-grab thing.”
External attacks made up 98 percent of cases, while insiders were responsible for under four percent of the cases. (Sometimes outsiders and insiders worked in tandem). Porter attributed the disproportion to the growing number of automated, mass attacks targeting typically small businesses. Criminals scan the web, looking for organizations running default credentials or ones that are easily guessable. Then, they install keylogger malware that siphons sensitive data, such as credit card numbers.
“These types of companies are focused on their business and less focused on the IT aspect and protecting their information,” Porter said. “I think it has a lot to do with just resources. If you walk into a mom-and-pop restaurant and you ask what their password is on their point-of-sale system, they might know and they might not know.”
He recommended organizations frequently change their point-of-sale passwords and apply access control lists to remote access services.
Surprisingly perhaps, web applications, which are exploited through a popular hacking technique known as SQL injection, were responsible for 10 percent of the breaches. But in large organizations that number rose to 54 percent. Porter explained that bigger outfits do a better job of protecting the perimeter and locking down credentials, but still fail in the area of web-facing apps.
Ultimately, breaches will happen, but if the report has any message, it's that they need to be contained sooner -- detected in days instead of weeks or months, Porter said.
“This is about risk,” he said.
The report does not cover lost data, such as missing laptops or mobile devices.