It’s a fact that seems obvious at first, but jarring when put into context: cybercrime is a lucrative business that continues to grow at a remarkable rate, according to the authors of a sweeping overview of major security incidents over the past year.
Eighty-six percent of the data breaches in 2019 were motivated by money, according to Verizon’s annual Data Breach Investigation Report, which was released Tuesday. While the techniques have shifted, the figure is a significant uptick from the 71% of breaches that were financially motivated in 2018.
“Attackers are going to look anywhere they can to generate revenue,” said Gabriel Bassett, senior information security data scientist at Verizon, adding that scammers are going about this tactic by re-using stolen usernames and passwords, and experimenting with email scams.
Verizon’s DBIR has emerged as a reliable benchmark in assessing corporate cybersecurity threats and defenses. This year’s iteration analyzed roughly 157,000 security incidents which affected Verizon clients operating in 16 different industries.
Personal data theft was the most common type of incident that Verizon observed. Some 37% of breaches involved credentials, while 22% of incidents involving phishing. Stolen usernames and passwords, which grant attackers access to restricted systems, were used more than malware.
By breaking into corporate accounts with usernames and credentials, hackers can avoid tripping antivirus programs which are likely to thwart attacks, Bassett said.
“The human is front and center as the cause of the majority of these breaches,” he said. “Personal data was taken in 58% of breaches…I think people have lost sight of the value of their email.”
Other trends observed through the 67-page report:
- The number of errors, including cloud misconfigurations and data misdelivery, continued to steadily increase over 2019, exceeding the number of malware attacks. “We started seeing misconfigurations last year, and they started picking up a lot this year,” Bassett said. “Often, it’s not clear exactly what happened.” Most security errors were discovered by security researchers, followed by unrelated third-parties, and then customers, who came across less than 20% of the incidents.
- Organized criminal groups are suspected in nearly 60% of the incidents included in this year’s report, compared to state-affiliated hackers, which are behind roughly 10% of the reported breaches. That finding coincides with a decline in cyber-espionage attacks to 3.2% from 13.5% in 2018, as nation-states increasingly rely on more tailored strategies to monitor their targets.
- The state of patching isn’t so bad. Despite some high-profile examples, hackers typically do not rely on unpatched vulnerabilities to carry out a high number of breaches, Verizon’s Bassett observed. Meanwhile, it seems, most companies are patching most of their key vulnerabilities before attackers find their way in. “The reality is that the patching we’re doing is a relatively effective way to slow attackers,” Bassett said. “That’s not to say it’s perfect, but there’s no reason to panic.”