Customer Records Remain Primary Target in Data Breach Efforts

Customer Records Remain Primary Target in Data Breach Efforts


Monday, February 13, 2012 | Dan Blacharski

There exists a certain contingent of cybercriminals which perpetrates computer break-ins to make political statements, to demonstrate their prowess in front of their peers, or just for the thrill of it. But bored hackers living in their parents’ basements make up only a small percentage; according to a Trustwave 2012 Global Security Report from Trustwave Spider Labs, 89 percent of their investigations involved the theft of customer records. Today, hackers and cybercriminals are in it for one reason: The money.

Of course, no type of business is exempt from the attackers’ interest, but like all criminals, "Sutton’s Law” holds. Named after the famous Depression-era bank robber Willie Sutton, who when asked why he robbed banks, responded "Because that’s where the money is,” Sutton’s Law is one of obviousness, and cybercriminals are no different from the stick-up man. Before executing a cyber attack, the criminal first considers from where he or she will gain the most return. Increasingly, this means targeting businesses that process the most credit cards.
 
Of all business entities studied by Trustwave, the food, beverage, retail, and hospitality industry accounted for an incredible 85 percent of data breaches. And here is the second part of what’s behind the thought process of the cyberattacker: They are, for the most part, opportunistic. Organised cybercriminals target this industry because of well-known payment system vulnerabilities, and lax security practices.
 
The Payment Card Industry (PCI) Data Security Standard (DSS) is in place to help prevent security lapses where card data is processed and stored.  But lapses still happen and high profile cases are regularly making headline news.
 
[ Want to learn more about PCI Compliance? Read 'An Introduction to becoming PCI DSS Compliant' White Paper, PDF ]

Those security lapses are multiplied thousands of times over in the franchised food industry, where it is possible for a criminal to find a single flaw and hit the jackpot. Because every franchisee uses a standardised computer model, likely with the same settings and defaults, if a criminal is able to hack into one burger franchise it’s quite likely they can hack into thousands of restaurants from the same franchise. E-commerce targets are prevalent and breaches here are on the increase. Other targets include ATMs, and successful access to an ATM can yield direct access to money. This may occur either through direct tampering with the hardware, but also indirectly by system intrusion or ATM-specific malware.
 
On the other end of the target spectrum, the healthcare industry, which has been subject to much more scrutiny and privacy legislation, accounted for only three percent of Trustwave’s caseload, largely because of breach notification laws and more mature information security policies.
 
The major activity is simple theft of payment card numbers, but another shocking type of attack is theft of business financial account numbers, which are used in subsequent payment card fraud and money laundering.
 
Constant vigilance and adherence to best practices will play a role in reducing risk and exposure. There is no single "silver bullet” that will absolutely prevent all types of credit card and personal information theft, but acceptable levels of risk can be easily achieved with the right technology and oversight Point-to-point solutions for example, can significantly lower risk of POS system breaches.
  • Print
  • Send to a friend