Report says most incidents of data theft preventable

Many data thieves may not be so sophisticated after all, according to a study to be released today.

At a time when the theft of personal information is a growing problem for companies and consumers, the study by a consulting unit of Verizon Communications Inc. analyzed more than 500 data breaches since 2004 and found 87 percent could have been prevented with commonplace security practices.

The conclusion cuts across the notion that hackers are rapidly becoming more adept in overcoming firewalls and cracking encryption to access personal data. Instead, study contributor Bryan Sartin said, more than half the cases analyzed were of low difficulty. Often criminals would simply probe the hardware or software of scores of companies, searching for known flaws they hoped to exploit.

"It's the low end that's exploding," Sartin said. More attention to basic security principles, such as making sure servers are configured correctly, would go a long way to diminishing the threat, he said.

Verizon says its study is the largest to date, reviewing security problems that accounted for 230 million compromised records. Another dramatic finding was that a growing number of breaches - 39 percent - were related to business partners in some way. Sartin said this was likely due to the rise of practices such as outsourcing call centers, giving outsiders access to company information.

Richard Smith, principal of Boston Software Forensics, which reviews code, said he was also struck by a finding in the study that in 63 percent of the cases, months went by before compromises were discovered. In 70 percent of the cases, a third party brought the breach to light. "There's a whole opportunity here for people to do more monitoring of their systems," he said.

Verizon's business unit in Basking Ridge, N.J., often is hired to analyze breaches and work with police. Of the more than 500 cases in the study, about 300 led to the involvement of prosecutors, Sartin said. But only about 60 of those led to convictions or plea bargains, Sartin said, underscoring the difficulty of solving intrusions. Indeed, a company Verizon purchased last year, Cybertrust, had audited security at TJX Cos., the Framingham retailer that last year disclosed attacks that compromised as many as 100 million payment card records - a case that remains unsolved.

Sartin wouldn't discuss whether the TJX case was among those in the study. But he said the study analyzed three of the five largest data breaches to date, and that Verizon is aware of several cases in which hundreds of millions of records were compromised, which would be even bigger than the losses at TJX. At least one of these occurred in the United States, and the targets tended to be either financial institutions or government agencies, he said.

While the study encompasses more than a quarter of publicly reported data breaches, it also includes many large breaches in which the victim organizations never reported the incidents publicly. Though laws in most states require companies to notify law enforcement of breaches, companies are growing more creative at finding ways to define problems so that they're not required to provide detail.

He described an incident in which an attorney sought to hire Verizon to analyze a breach at an unnamed company, but asked that Verizon never use that term in its report and to mark its report as a "draft" unless it needed to be disclosed. In other words, Sartin said, the company was hoping to sidestep the notification laws.