Most thefts of sensitive information from corporations occur when the victimized companies don't know what data they have, where they have it or who has access to it, according to a study released Wednesday by Verizon Communications Inc.
In about two-thirds of the 500 data thefts investigated by Verizon's security unit over the last several years, the targets didn't know what information they were storing or where exactly they were storing it.
Brian Sartin, a Verizon executive who worked on the study, said it was typical for a company to encrypt the customer information stored on its central mainframe computer without realizing that the underlying data was available at dozens of other places.
That's a big reason that most of the successful attacks didn't require much in the way of special skills, Sartin said. Another is that hackers go where they will have the least difficulty. Commonly, they scan for corporate machines that have known vulnerabilities and are likely to hold credit card numbers or identifying information about individuals. The study found those were the two most common payoffs.
Company insiders participated in only 18% of the breaches, although those cases tended to involve much bigger caches of information.
Outside partners of the victimized companies were the source of the improper access 39% of the time, usually unwittingly. That proportion of the total has risen dramatically in the last four years.
"Instead of targeting companies by name, criminal gangs are targeting individuals inside call centers, because they have access to hundreds or thousands of companies," Sartin said.
In one telling example, a major oil company that Sartin declined to name began getting complaints about fraudulent charges racked up on the cards of people who used the company's gas stations.
Verizon found that the only regular access to the point-of-sale systems there came from the company who sold them.
The password was simply the company's name, and employees could gain access from any computer on the Internet. Eventually, investigators caught a 21-year-old worker at the vendor's call center.
Most attacks in the survey could have been thwarted by the companies' own security policies being implemented correctly, Sartin said.
The study included three of the five largest breaches reported from 2004 to 2007 and about a quarter of all disclosed breaches.