Data Breach Leader: E-commerce Sites

Wednesday, May 28, 2014 @ 11:05 AM gHale

Point-of-sale (PoS) systems comprised 33 percent of data breaches and over half of all intrusions targeted payment card data, a new report said.

Even though PoS systems were a big target for attackers, shown by data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said last Wednesday in its 2014 Global Security Report that compiled data from 691 data breach investigations conducted by the company around the world.

Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door
Security and Safety: Perfect Together

E-commerce intrusions accounted for 54 percent of investigated data breaches and PoS system intrusions accounted for 33 percent, Trustwave said.

Relating to the Trustwave results, the Verizon data breach report also said Web application and PoS attacks are leading causes of security incidents.

According to Trustwave, over half of intrusions targeted payment-card data, with such data stolen from e-commerce transactions in 36 percent of incidents and from PoS transactions in 19 percent of attacks.

In Western Europe in particular, where countries have rolled out EMV — chip-and-PIN payment card transactions — cybercriminals shifted their focus from PoS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”

However, a significant increase in the theft of sensitive, non-payment-card data, also occurred last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and ended up stolen in 45 percent of incidents, Trustwave said in the report.

Customer records containing personally identifiable information can see use to perpetrate identity fraud. That is why there has been an increase in attacks focusing on such data, Yeo said.

Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches ended up identified by regulatory bodies, the credit card companies or merchant banks.

Organizations that self-detect are actually able to contain a breach much faster than organizations notified by third parties, Yeo said. “The median amount of time to contain a breach for organizations that self-detected the compromise was a single day, whereas for organizations notified by third-parties the median amount of time for containment was 14 days.”

Obviously, the longer a breach goes on, from the point of intrusion to the point of containment, the greater number of records potentially exposed and the greater the breach cost, Yeo said.

Upon discovering a breach, internally or with external help, 67 percent of victims were able to contain it within 10 days. However, the average time it took companies to actually detect an intrusion from the time when it occurred was 87 days.

Weak passwords remained the leading cause of compromises and accounted for 31 percent of incidents. This includes passwords used for VPN (virtual private network), SSH (Secure Shell) and remote desktop connections, as well as those used for application administration.

Outdated and vulnerable off-the-shelf software accounted for 10 percent of intrusions, but Web application vulnerabilities like SQL injection, directory traversal, remote file inclusion and file upload flaws, were also important factors.

Ninety-six percent of all applications that Trustwave scanned contained at least one serious security vulnerability, Yeo said. Large organizations will have hundreds of Web applications in their environments and it’s important that those are ranked from a criticality perspective and that the most critical ones undergo regular security testing, he said.

Click here to register for the report.

Leave a Reply

You must be logged in to post a comment.