To the casual observer it might seem from the headlines saturating our news over the past couple of years as if data breaches happen almost exclusively at retailers. There certainly has been a spate of attacks of late, which seemed to snowball after a major incident in December 2013 when hackers stole the records of 70 million Target customers. But it’s not quite the whole story.
New Trend Micro research tells us that although retail is the biggest victim of payment card breaches, there have been more incidents overall during the past decade in the healthcare, education and government sectors. We need to look closer at why this might be if we’re going to get better at stopping the bad guys.
Enter the RAM scraper
Our two new Follow the Data reports have been compiled from 10 years’ worth of information collated by non-profit the Privacy Rights Clearinghouse. It’s a treasure trove of invaluable facts and figures we can use to pick out some of the most important patterns and industry trends. So you might be surprised to hear that only 12.5% of breaches over the period 2005-15 happened to retailers. It’s a far cry from the 26.9% that occurred in the healthcare sector, and retailers are also better off than those in the education (16.8%) and government (15.9%) verticals. Perhaps unsurprisingly given the nature of the industry, however, retail accounted for the biggest number (47.8%) of payment card data breaches.
This is the historic trend which the data tells us. However, it also tells us that breach disclosures in the industry more than doubled between 2008 and 2010, and thereafter have remained extremely high. Why is this? Because of the development of Point of Sale RAM scrapers in 2007/8. It’s why “hacking or malware” was the most common type of breach method over the period, accounting for 47.6% of incidents. POS RAM scrapers can be launched remotely by a hacker under the anonymising cover of the internet, and used to steal magstripe data from infected POS machines. If successful, the hacker can then use this stolen data to clone credit or debit cards, and ultimately to commit identity fraud, or else sell it on the darknet to fraudsters.
It’s notable that hacking and malware incidents have shown a major increase since 2005, thanks to the success of POS RAM scrapers. But that’s not the full picture. Our data also reveals that portable device loss (12.5%) and insider threats (12.5%) are also fairly popular breach methods – with the latter also displaying an upward trend over the period as employees physically install skimming machines in-store to steal card data.
If the Target breach has taught us anything it’s that proactive spending on preventative cyber security measures is always likely to be cheaper and more effective than doing so after an attack. The retail giant admitted in separate regulatory filings that it spent $61 million in 2013 and a further $191 million the following year in breach-related expenses, although some of the cost was offset by insurance. That’s not to add in the potential cost of lost custom and the hard to quantify but equally damaging hit to the retailer’s brand value and reputation. It should serve as a cautionary tale for any CIOs working at major retailers: skimp on cyber security and you could end up paying a far heftier price. In the case of Target, CIO Beth Jacobs lasted only three months before being forced to resign.
POS RAM scraper malware can deliver a huge number of credit card details in a short space of time, so remain a popular choice for hackers. It’s a problem which the new EMV cards will not solve either. So retail IT managers must employ best practices to improve security, including:
- Multitier hardware firewalls to protect networks
- Breach detection systems to uncover targeted attacks
- Intrusion detection and prevention systems (IDPSs) to scan inbound and outbound traffic
- Two factor authentication for staff
- Point-to-point encryption
- Whitelisting so only pre-approved apps can run
- Regularly patch/update systems
- Regular vulnerability scanning
Click here to read Trend Micro’s two reports: Follow the Data: Dissecting Data Breaches and Debunking the Myths and Follow the Data: Analyzing Breaches by Industry.