The 2010 Verizon Data Breach Investigations Report found that electronic records breaches last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized crime groups. The study did note that the overall number of breaches investigated in 2009 declined from the previous year's total.
Retail remains among the "Big Three" of industries affected by data breaches, accounting for 15% of the total. The other two most affected industries are financial services (33%) and hospitality (23%).
The addition of data from the Secret Service, which investigates financial crimes, allowed the report to view data breaches that have occurred over the last six years. The report covers more than 900 breaches involving more than 900 million compromised records.
Key findings include:
--Most investigated data breaches (69%) were caused by external sources, while only 11% were linked to business partners.
--Nearly half (49%) were caused by insiders, an increase over previous report findings that the report attributes in part to the addition of the Secret Service information.
--48% of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information. An additional 40% were the result of hacking, while 28% were due to social tactics and 14% to physical attacks.
--As in previous years, nearly all data was breached from servers and online applications, and 85% of the breaches were not considered highly difficult.
--Meeting PCI-DSS compliance is still critically important: 79% of the victims who were subject to the PCI-DSS standard had not yet achieved compliance prior to the breach they experienced.
The overall decline in the number of data breaches may be due to a number of factors, including law enforcement's effectiveness in capturing criminals, according to the report. The report found no correlation between an organization's size and its chances of suffering a data breach. "Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size," Verizon researchers said.