Hacktivism groups such as Anonymous caused over half of all the known data thefts committed last year, according to a new report.
Verizon’s 2012 Data Breach Investigations Report claims that groups such as Anonymous and LulzSec, who carry out attacks to bring attention and embarrassment to their targets, caused more data breaches than traditional cybercriminals, who targeted organisations for money and IP.
The report examined 174 million stolen records across 855 different data breaches. It is the second highest number of breaches Verizon has seen since it started the report in 2004.
Over half (58%) of the data records stolen were attributed to hacktivism, which Verizon called a "sharp contrast" to previous years where financial gain was the primary driver.
Hacking and malware were the two primary attack methods – hacking was a factor in 81% of breaches and 99% of data lost, Verizon says. The use of hacking and malware has risen sharply in the last year, according to the report.
Despite many headlines about the dangers of socially-engineered attacks, Verizon said "social tactics" were used in just 7% of breaches, down 4% on last year.
One of the more interesting discoveries of the survey is just how bad defences are at many companies, and how bad they are at detecting attacks.
The report says that many attacks were launched because of opportunity rather than choice, meaning that a vulnerability was discovered in a company’s defences, leading to them being targeted.
In fact, 96% of attacks were not "highly difficult" and 94% of all data compromised involved servers being accessed. Server vulnerabilities rose 18% in the year, the report said. The vast majority (85%) of breaches took "weeks" (rather than months) to discover and 92% were discovered by a third party rather than the victim itself.
Most worryingly, nearly all (97%) breaches were without difficult or expensive countermeasures the report said.
"This re-imagined and re-invigorated spectre of "hacktivism" rose to haunt organisations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagine," the report stated.
"Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behaviour," it added.
Anonymous and LulzSec caused havoc across the globe throughout 2010, 2011 and 2012, targeting a wide variety of organisations, ranging from Scientology to MasterCard and government organisations.
The groups target organisations that it claims suppress freedom of speech online while they say their aim is to protect civil rights online.
However in March this year it was revealed that the infamous hacker Sabu, leader of LulzSec, was in fact an FBI informant and had been working with authorities since the summer of 2011. Information he provided led to the arrest of a number of Anonymous and LulzSec members recently.
CBR’s recent in-depth feature on hacking, Hacktivism: Doing it for the lulz?, is available here.
