Motivated criminals hunt government data

Verizon's annual data breach report finds that hackers targeting government agencies aren't easily deterred.

Slice and dice the data six ways from Sunday, and one fact remains intact: In 2009, 94 percent of all compromised records were attributable to financial services, according to Verizon's 2010 Data Breach Investigations Report.

Of the 100 new investigations the Verizon Risk Team handled in 2009, “probably six or so, about 4 percent,” were for government agencies, said Wade Baker, director of risk intelligence at Verizon Business and lead author of the report. That percentage doesn’t vary much from year to year.


Lack of attention invites cybersecurity breaches

How hackers use the World Cup and Chelsea Clinton to steal your data

The team looked at more than 900 breaches involving more than 900 million compromised records over a six-year period and included data from the U.S. Secret Service, which investigates financial crimes.

In some ways, government looks a lot like the financial and tech services sectors in the data breach report, Baker said. Whether it’s organized crime looking for credit card data or cyber terrorists trying to access government and defense data, “the common denominator is that of having a more motivated criminal,” he said.

“A lot of what we see in retail and hospitality, like restaurants and hotels, is a criminal that wants an easy score," he added. "They try something, and if they don’t get in, they just move on."

But in financial and tech services, being a more motivated criminal means being more dedicated to the attack. “They might try one technique, and if that doesn’t work, they’ll try two or three more until they do get in,” Baker said. Such attacks also might go beyond hacking and malware to involve social engineering, insider abuse and even physical attacks.

“In other ways — and I found this kind of surprising — government resembles retail and the food and beverage industry, especially in the response category,” he said.

Government agencies are “pretty slow in discovering and responding to breaches,” Baker said. “I don’t know why.”

Federal and state government agencies are on the low side of average because, like the retail and hospitality sectors, their IT departments take a long time to discover a breach.

Financial and tech services are on the high side of that average, Baker said.

NEXT STORY: Another GSA monopoly issue?