Report: Hacktivists Top Data Thieves

Activists motivated by a cause or just having fun were responsible for 58 percent of the data records snatched in 2011 from companies, government agencies and nonprofits, according to the carrier's latest Data Breach Investigations Report released Thursday. While accounting for only 2 percent of the 850 breaches considered by Verizon, hacktivists stole roughly 100 million data records. The report did not mention Anonymous by name, but most of the attackers are believed to be members or supporters of the hacker collective. High-profile break-ins last year occurred at PBS, Fox, Sony and HBGary Federal.

The targeting of data marked a big shift in hacktivist tactics, Verizon said. Before last year, activist mischief consisted of Web site defacements and denial of service attacks. In stealing data, hacktivists have found a more effective way to embarrass those organizations they find distasteful.

[Related: The 10 Biggest Security Stories Of 2011 ]

Many organizations found the possibility of public humiliation more troubling than other threats, Verizon said. "Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information," the report said. "Enemies are even scarier when you can’t predict their behavior."

While hacktivists were most effective at stealing data, organized crime remained the largest group of thieves with Verizon blaming them for 83 percent of breaches and 35 percent of the 174 million stolen records containing corporate and personal information. Mainstream cybercriminals preferred automated assaults and favored high-volume, low-risk attacks against weaker targets.

Criminals found no shortage of conquerable targets. Verizon found that nearly all the attacks in the report were fairly easy and nearly 80 percent of the victims were targeted because of vulnerabilities within their systems. More than 90 percent of the flaws were discovered by people outside of the organizations.

Contributing to the weak security was the fact that almost all the breaches could have been avoided with simple or intermediate controls. For example, 96 percent of the victims subject to PCI data security standards for accepting credit card transactions were not in compliance. The bulk of breaches involving payment cards involved smaller organizations.

Given the weak security, it's no surprise that Verizon found more than 80 percent of the breaches involved some form of hacking. Nearly 70 percent incorporated malware and 10 percent or less involved physical attacks, social tactics or privilege misuse.

Attacks targeting intellectual property, such as trade secrets and classified information, were far less frequent than breaches going after personal information, which comprised 95 percent of the records stolen last year. The remainder included credit card numbers, authentication credentials, bank account numbers and corporate information.

Contributors to this year's report included the U.S. Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, The Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.