Point-of-sale attacks accounted for a third of data breaches in 2013, report says
A third of data breaches investigated by security firm Trustwave last year involved compromises of point-of-sale (PoS) systems and over half of all intrusions targeted payment card data.
Even though PoS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.
E-commerce intrusions accounted for 54 percent of investigated data breaches and PoS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.
According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from PoS transactions in 19 percent of attacks.
In Western Europe in particular, where countries have rolled out EMV—chip-and-PIN payment card transactions—cybercriminals shifted their focus from PoS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”
However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.
Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that’s why there’s been an uptick in attacks focusing on such data, Yeo said.
Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.
Organizations that self-detect are actually able to contain a breach much faster than organizations that are notified by third parties, Yeo said. “The median amount of time to contain a breach for organizations that self-detected the compromise was a single day, whereas for organizations notified by third-parties the median amount of time for containment was 14 days.”
Obviously, the longer a breach goes on, from the point of intrusion to the point of containment, the greater number of records are potentially exposed and the greater the breach cost, Yeo said.
One encouraging finding is that upon discovering a breach, internally or with external help, 67 percent of victims were able to contain it within 10 days. However, the average time it took companies to actually detect an intrusion from the time when it occurred was 87 days.
Weak passwords remained the leading cause of compromises and accounted for 31 percent of incidents. This includes passwords used for VPN (virtual private network), SSH (Secure Shell) and remote desktop connections, as well as those used for application administration.
Outdated and vulnerable off-the-shelf software accounted for 10 percent of intrusions, but Web application vulnerabilities like SQL injection, directory traversal, remote file inclusion and file upload flaws, were also important factors.
The Trustwave report also contains statistics about the results of application vulnerability assessments performed by the company, which were separate from the data breach investigations.
Ninety-six percent of all applications that Trustwave scanned contained at least one serious security vulnerability, Yeo said. Large organizations will have hundreds of Web applications in their environments and it’s important that those are ranked from a criticality perspective and that the most critical ones undergo regular security testing, he said.