The results of Verizon's latest Data Breach Investigations Report has analysts puzzling over some seemingly conflicting trends.
First, the total number of reported data breaches was up more than 500%, with 760 data breaches reported by the U.S. Secret Service in 2010, up from about 140 breaches reported in 2009.
Contrary to the increase in data loss events, there were only 4 million compromised records involved in 2010, a sharp decrease from the 144 million records exposed in 2009.
This represents both a record high for events and a record low for exposed records over the seven years Verizon has been tracking the data.
Alex Hutton, principal for research and intelligence at Verizon, concludes that the conflicting trends reveal a great deal about the shifting nature of criminal hacking operations, their preferred targets, and the lower profile tactics used in harvesting data.
"There has been a shift in the threat landscape, and organized crime is targeting medium to small-sized businesses in the US. What we're seeing is the bad guys exploiting people who haven't taken basic security considerations into account in their small business. An attacker is running an automated attack, basically looking for people who have let their guards down. They are introducing malware into the environment, and if it's credit cards they are after they'll just scoop up a handful at a time," Hutton told CNet.
The shift towards smaller targets with highly automated attacks may yield smaller returns in the number of compromised records, but avoiding detection with stealthier tactics ultimately allows for higher profits for the hackers in the end.
"First, they probably want to evade detection. Stealing lots of credit cards attracts unwanted attention. Also the resale value of credit cards is low on the black market, so criminals could just be trying to make a quick buck before the data becomes worthless," Hutton continued.
Given the contradictory nature of the study results, some security experts question whether the research is representative of the state of data loss overall.
"The credit card hacking world, which is the majority of Verizon's customers, is becoming less of an accurate sample of the data breach world at large," Chris Wysopal of Veracode told ThreatPost, who was briefed on the findings prior to the reports release.
"I only see slight improvement in the state of breaches in general. The mega breaches seem to be down but there are still some fairly large recent ones such as State of Texas at 3.5M and Hyundai Capital at 420K in April. And lets not forget the mega email breaches of the last few months, including 4.9 email addresses, names, and VINs at Honda," Wysopal continued.
There is also something to be said for the lack of mandatory reporting of data loss events. Many companies avoid disclosure of details related to compromised systems and data to avoid entanglements with federal regulators, bad press, and anxious investors.
Whether or not the Verizon study is an accurate representation of data loss events across all industries, it does show that of the companies that do appear in the report, mitigation of data loss events has improved significantly.
And even if the decline in the total number of compromised records is due to criminal hackers pursuing smaller data hauls, that fact can most likely be attributed to improved security measures that have forced them to be less brazen.
Any way you choose to look at the Verizon study results, the news is encouraging.