This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Hacktivism Accounted for Most of Data Lost in 2011 Breaches

Verizon's 2012 Data Breach Investigations Report spotlights the rise of hactivism.

Over half of the data that companies lost in breaches in 2011 went to politically motivated hactivists, even though most breaches were perpetrated by criminal gangs for financial gain.

It's spring, and young men's fancies turn to thoughts of data breach reports. Following the Ponemon / Symantec report highlighted earlier this week by Tom Murphy, Verizon yesterday released its annual Data Breach Investigations Report in conjunction with an alphabet soup of national and international law-enforcement agencies.

Of the 855 data-breach incidents investigated in 2011, only 3 percent fell into the hactivism category, according to a summary of Verizon's work in PCWorld. But these politically motivated actions accounted for 57 percent of the pilfered data records -- 100 million records out of the total of 174 million.

The vast majority of the incidents, 83 percent, were pulled off by cybercriminals. In attacks for which the geographic locus could be determined -- always an iffy undertaking -- two-thirds of them originated in Eastern Europe. The majority of the hacktivism came from North America.

The dramatic rise in hactivism was "probably the biggest and single most important change factor in this year's DBIR," according to the report. "The frequency and regularity of cases tied to activist groups that came through our doors in 2011 exceeded the number worked in all previous years combined [since 2004]," the authors noted.

The disparity between the number of hactivist breaches and their outsized result in terms of data loss becomes clear once Verizon's data are broken down by company size. Criminals overwhelmingly targeted smaller companies, and hactivists larger ones. The report explains that one reason why crooks are preferring the "high-volume, low-yield business model has become the standard M.O. for organized criminal groups" is that many of the early, more daring criminals are locked away now. Here's what those who remain are doing:

Instead of major (and risky) heists, [cybercriminals] pilfer smaller hauls of data from a multitude of smaller organizations that present a lower risk to the attacker. Think of it as a way to streamline business processes. Find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale.

Hacktivists target larger companies for all the obvious reasons: they can make a bigger splash, and the big enterprises are more likely to be the ones with which they have a beef. And the amount of data they steal is out of all proportion to the number of such attacks. Once inside the network, the hacktivists tend to grab all they can -- email archives, databases -- that might be embarrassing to their target. Criminal gangs, on the other hand, are in search of a tiny amount of data: a bank password sniffed by a keylogger, for example.


As in each of Verizon's earlier reports, the 2012 DBIR emphasizes how many of the problems could have been avoided by simple and cheap, or at worst intermediate, precautions (see figure).

IT workers can take some comfort from one small factoid unearthed from Verizon's compilation. Insiders were involved in only 4 percent of the data breaches, and of those, in only 6 percent of them was a system administrator implicated. Doing the numbers, two sysadmins participated in these 855 breaches. The largest proportion of insiders responsible for data theft comprised the category "cashiers/tellers/waiters."