Telecommunications giant Verizon on Wednesday released the findings of its 2012 Data Breach Investigations Report (DBIR), which in addition to typical cyber intrusions also looked at the characteristics of data breaches intended to steal companies’ intellectual property. The report, which was conducted with cooperation from the U.S. Secret Service and several other law enforcement agencies around the globe, found that a total of 174 million records were compromised in 2011, the second highest total since the company began keeping track in 2004.
While the majority of these data breaches were perpetrated by people looking for a quick way to cash in on their theft, there were also those whose goal was much larger in scope. In fact, the DBIR discovered 85 confirmed data breaches over the last two years that resulted in the theft of intellectual property (IP).
The report, which looked at a variety of vertical markets including the healthcare, financial, insurance, retail, hospitality and food services, found that no organization was immune to IP theft – whether it be a company with one to 10 employees or more than 100,000 employees. The financial services and public administration verticals accounted for two-thirds of IP data breaches, while information, technology services, and manufacturing made up the remaining third.
Although most of these intrusions were the work of outside agents (87 percent), the data also shows that there was a great deal of collusion with company insiders, which accounted for 46 percent of breaches involving IP theft. This collusion between external agents and insiders is why the percentage totals between the two top 100 percent.
"Typically, in our main report as we look at the threat actors, we’ve got a whole lot of external people causing these breaches, participating in the breaches and usually in the single digits when it comes to insiders, four to nine percent or something like that," said Jay Jacobs, managing principal, RISK Team at Verizon Enterprise Solutions. "As we get into intellectual property, it becomes very, very different looking. There are a whole lot of internal actors… so we see a lot of collusion there, we see a lot of external people soliciting or bribing internal people in order to help them."
Among the threat actions that caused or contributed to data breaches involving IP theft in the DBIR were; misuse (an insider abusing the privileges that they have, such as using their account to access data in a way that they shouldn’t); social (using social tactics to get someone else to do something on your behalf usually without their knowledge, such as pretending to be someone you’re not, employing phishing scams or soliciting/bribing people); physical (any physical theft or tampering); hacking; malware; and, error. Misuse and hacking lead the way in this category at 51 percent and 47 percent respectively, followed by social (41 percent), malware (29 percent), physical (7 percent), and error (7 percent).
Jacobs said that the use of social tactics was higher in the IP theft section of the DBIR than in any other part of the report.
"An interesting thing about the threat actions, the use of stolen login credentials, that is using valid credentials by an invalid or unauthorized person, is something that appears in our larger data set and across these vertical snapshots at some layer or another," he explained. "That seems to be a pretty universal trait of these (IP) breaches where an attacker tries to get into a valid account. They try to go in as a valid user. It’s much easier to go after a credential and come in as a valid user than exploit some vulnerability. Even when a vulnerability is exploited, they’re still going to go after credentials because it’s easier to maintain sort of a long-term presence with valid credentials."
In contrast with breaches of opportunity, Jacobs said the report also found that IP thieves will stick with their intended target for a much longer period of time.