Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.
Their latest supporting evidence comes in the form of an annual Verizon report, which counted 621 confirmed data breaches last year, and more than 47,000 reported “security incidents.” Those include distributed denial of service (DDOS) attacks, in which hackers flood a site with traffic until it falls offline, but do not necessarily break into a company’s network.
The victims spanned a wide range of industries. Thirty-seven percent of breached companies were financial firms; 24 percent were retailers and restaurants; 20 percent involved manufacturing, transportation and utility industries; and 20 percent of the breaches affected organizations that Verizon qualified as “information and professional services firms.” (The totals exceed 100 percent because of rounding.)
“The results validate that any business that operates online is at potential risk of suffering a data breach,” said Wade Baker, one of the report’s principal authors. “We talk to a lot of actors that are flabbergasted that they would be attacked by a group based across the world. But the report shows that no matter the size of the organization — large, small, government agencies, banks, restaurants, retailers — people are stealing data from a range of different organizations and it’s a problem everyone has to deal with.”
Verizon collaborated with 18 organizations to feed data into this year’s report. Three quarters of successful breaches were done by profit-minded criminals for financial gain. But the second most common type of breach was a state-affiliated attack “aimed at stealing intellectual property — such as classified information, trade secrets and technical resources — to further national and economic interests.”
Verizon said that only a slim minority — 14 percent — of all data breaches were the work of insiders. Most were the work work of external actors who are often difficult to pinpoint because attackers often route their Web traffic through infected computers around the world. But Mr. Baker said victims were able to trace the attacks back to state-affiliated groups in “two out of three cases.”
In those cases, Verizon said that the majority– 30 percent– of all attacks originated in China. Government officials in the United States recently started stepping up diplomatic pressure on China to curtail cyberespionage that originates from within its borders. Last month, the Obama administration demanded that the Chinese government stop the theft of data from American computer networks. And on Monday, cybersecurity was the focus of a meeting between the Joint Chiefs of Staff chairman, Gen. Martin E. Dempsey, and Gen. Fang Fenghui of China.
Surprisingly, the second most common origin of attacks was Romania, where hackers accounted for 28 percent of all data breaches. The third most common origin of attacks was the United States, which accounted for 18 percent of all attacks.
In 76 percent of data breaches, weak or stolen user names and passwords were a cause. In 40 percent of cases, Verizon said the attackers installed malicious software on the victim’s systems; 35 percent of cases involved “physical attacks” in which the attackers did physical harm, to a skimmer at an automated teller machine, for instance.
In 29 percent of breaches, the attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact. The e-mails contain malicious links or attachments that, when clicked, give the attacker a foothold in the victim’s computer network. Verizon said it witnessed four times as many “social engineering” attacks that used this method in 2012 as it did in 2011. That method, Verizon said, was most popular among attackers in cyberespionage campaigns.
The Verizon report also highlighted the lag between the time an organization has been breached and the time it discovers the breach. “The compromise-to-discovery timeline continues to be measured in months and even years, as opposed to hours and days,” the report said.