The number of data breaches increased 53.6% in 2013 from 2012, and 54.0% of those breaches were targeted at e-commerce web sites, a new report from security firm Trustwave finds. The firm analyzed 691 breach investigations across 24 countries.
While payment card data made up 55.0% of the data stolen last year, non-payment card data—financial credentials, internal communications and personally identifiable information—were stolen 33.0% more often in 2013 than in 2012 and made up 45% of the breaches. Criminals stole financial account credentials 22.0% more often than in 2012.
Breaches at the point of sale, where customers enter payment information at physical stores, accounted for 33.0% of data breach investigations. 54.0% of the breaches happened on e-commerce web sites, and 10% happened at data centers. The remaining 3.0% happened through other channels. “In addition to brick-and-mortar locations, databases involved in e-commerce payments continue to be common targets of attack,” the report says. “As has been the case for more than 15 years, poor coding and data storage practices have left sites vulnerable to SQL injection, whereby criminal hackers gain access to cardholder data stored in databases.” In an SQL injection, attackers insert bits of malicious code that allow them to download the contents of a database.
The top three locations for the source of attacks were the United States (19.0%), China (18.0%) and Nigeria (16.0%). The top three locations for the target of attacks were the United States (59.0%), the United Kingdom (14.0%) and Australia (11.0%). Retail was the industry that came under attacks most often, accounting for 35.0% of the breaches in 2013. That represents a decrease of 10 percentage points from 2012, when retail made up 45% of breaches.
31.0% of the investigated breaches involved weak passwords with “123456” as the most commonly used password. Nearly 25.0% of the usernames investigated used the same password across multiple sites. The remainder of the breaches involved unknown causes (25.0%), file upload flaws (12.0%), vulnerable software (10.0%), SQL injection (8.0%) phishing (6.0%), authorization flaw (4.0%) and remote files (4.0%).
When it came to discovering a breach, only 29.0% of victims discovered a breach internally. 58% of breaches were discovered by card brands or merchant banks, 7.0% by another third party, 3.0% by law enforcement and 3.0% by the public. But when the breach was discovered internally, the damage was mitigated. On average, organizations that discovered a breach internally took only one day to contain it, while it took an average of 14 days when the breach was detected externally.