Ransomware, HR Departments Big Issues in New Verizon Breach Study
The report notes 598 incidents and 146 breaches in the financial industry.
Ransomware is still criminals’ malware of choice, human resource departments have become bigger targets for data breaches, and the financial services sector has its own set of vulnerabilities on top of all that, according to Verizon’s 2018 Data Breach Investigations Report released this week.
The 68-page study reported that 39% of malware-related data breaches involved ransomware — a rate twice that of last year’s report — and accounted for more than 700 incidents. Criminals also showed more interest in entering what Verizon called “business critical” systems by encrypting file servers and databases so they can demand bigger ransoms.
Criminals going after employees
HR departments are especially attractive targets to criminals trying to steal employee wage and tax data, according to the Verizon report.
“The incidents targeting human resources staff do have a confidentiality loss associated with them. The data most often coveted in these incidents is the W-2 information of employees — loaded with salary and other personal information that can be used to file fraudulent tax returns on their behalf and directly depositing any refunds to the attackers’ account,” it reported.
Often, the breach happens via “pretexting,” which is the creation of a false narrative to get information or influence behavior. Common methods include hacking or spoofing the email addresses of CEOs or other company executives and then sending emails to their HR or finance employees demanding they wire money or pay phony invoices.
The tactic often causes six-figure losses, Verizon noted.
“We have seen financial pretexting rise from 61 incidents in the 2017 [Data Breach Investigations Report] to 170 this year. While the pretexts associated with fraudulent transactions have increased from last year, the big jump stems from an 83 incident increase in attacks targeting HR staff,” it noted.
Industry statistics
The report noted 598 incidents and 146 breaches in the financial industry. That compares to 338 breaches in the accommodation industry, 101 in education, 536 in healthcare, 20 in real estate, 10 in construction and 33 in entertainment, for example.
Skimmers are still a big problem in the industry, the report added, and a rise in ATM “jackpotting, in which criminals use hardware or software to get ATMs to dispense large amounts of cash, is a growing concern. Denial of service (DDOS) attacks were still one of the sector’s biggest problems, however.
“Even though these current incidents are not as high profile as the attacks of yesteryear, they are not extinct. So, while you are strengthening authentication into your applications, ensure that you have controls and response plans in place for availability attacks as well,” the report warned.
There was one piece of good news in the report, however: 78% of people didn’t click on a single phishing email all year.
Nonetheless, the scam’s still the most common method of social attack, Verizon noted.
“Unfortunately, on average 4% of people in any given phishing campaign will click it, and the vampire only needs one person to let them in,” it said.
Other notable findings in the Verizon report include:
- 73% of data breaches were perpetrated by outsiders
- 50% of data breaches were carried out by organized criminal groups
- 58% of breach victims were small businesses
- 68% of breaches took months or longer to discover
- 49% of non-POS malware was installed via malicious email