Point-of-sale attacks accounted for a third of data breaches in 2013, report says

However, a significant rise in attacks targeting sensitive data not related to payment cards was also observed, Trustwave says

A third of data breaches investigated by security firm Trustwave last year involved compromises of point-of-sale (PoS) systems and over half of all intrusions targeted payment card data.

Even though PoS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.

E-commerce intrusions accounted for 54 percent of investigated data breaches and PoS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.

According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from PoS transactions in 19 percent of attacks.

In Western Europe in particular, where countries have rolled out EMV -- chip-and-PIN payment card transactions -- cybercriminals shifted their focus from PoS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. "EMV has changed the pattern of compromises when it comes to payment-card-specific data."

However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.

Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that's why there's been an uptick in attacks focusing on such data, Yeo said.

Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.

Organizations that self-detect are actually able to contain a breach much faster than organizations that are notified by third parties, Yeo said. "The median amount of time to contain a breach for organizations that self-detected the compromise was a single day, whereas for organizations notified by third-parties the median amount of time for containment was 14 days."

Obviously, the longer a breach goes on, from the point of intrusion to the point of containment, the greater number of records are potentially exposed and the greater the breach cost, Yeo said.

One encouraging finding is that upon discovering a breach, internally or with external help, 67 percent of victims were able to contain it within 10 days. However, the average time it took companies to actually detect an intrusion from the time when it occurred was 87 days.

Weak passwords remained the leading cause of compromises and accounted for 31 percent of incidents. This includes passwords used for VPN (virtual private network), SSH (Secure Shell) and remote desktop connections, as well as those used for application administration.

Outdated and vulnerable off-the-shelf software accounted for 10 percent of intrusions, but Web application vulnerabilities like SQL injection, directory traversal, remote file inclusion and file upload flaws, were also important factors.

The Trustwave report also contains statistics about the results of application vulnerability assessments performed by the company, which were separate from the data breach investigations.

Ninety-six percent of all applications that Trustwave scanned contained at least one serious security vulnerability, Yeo said. Large organizations will have hundreds of Web applications in their environments and it's important that those are ranked from a criticality perspective and that the most critical ones undergo regular security testing, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusiontrustwavesecurityverizondata breachIdentity fraud / theftdata protectionfraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?