Data breaches usually come from company soft spots

The study was featured in the Los Angeles Times.

In about two-thirds of the 500 data thefts investigated by Verizon's security unit over the past several years, the targets did not know what information they were storing or where exactly they were storing it.

Brian Sartin, co-author of the study, said it was typical for a company to encrypt carefully the customer information stored on its central mainframe computer - without realising the underlying data was available at dozens of other places.

That's a big reason most of the successful attacks do not require special skills, Sartin said. Another is hackers go where they will have the least difficulty. Commonly, they scan for corporate machines that have known vulnerabilities and are likely to hold credit-card numbers or identifying information about individuals. The study found those were the two most common pay-offs.

Company insiders participated in only 18 percent of the breaches, although those cases tended to involve much bigger caches of information.

Outside partners of the victimised companies were the source of the improper access 39 per cent of the time, usually unwittingly. That proportion of the total has risen dramatically in the past four years.

"Instead of targeting companies by name, criminal gangs are targeting individuals inside call centres, because they have access to hundreds or thousands of companies," Sartin said.

In one telling example, a major oil company Sartin declined to name began getting complaints about fraudulent charges racked up on the cards of people who used the company's petrol stations. Verizon found the only regular access to the point-of-sale systems there came from the company who sold those systems.

The password was simply the name of that company, and employees could gain access from any computer on the Internet. Eventually, investigators caught a 21-year-old worker at the vendor's call centre.

Most attacks in the survey could have been thwarted by the companies' own security policies being implemented correctly, Sartin said. The study included three of the five largest breaches reported from 2004 to last year and about a quarter of all disclosed breaches.