Information provided by Verizon’s Data Breach Investigations Reports, abbreviated DBIR, have shown that nearly one quarter of all data breaches were from retail and restaurants, the next biggest business sector after financial institutions.
The DBIR is a yearly analysis of the world’s security trends that relies upon the cooperation of numerous organizations. This is the program’s sixth year, and nearly 20 organizations, such as incident-reporting agencies, law enforcement bodies, research institutes and private security companies, have provided their collected data on such breaches.
The analysis showed that, in 2012, there were more than 620 confirmed breaches with an estimated 47,000 security incidents. Of these breaches, over 150 were from the food service and retail industries.
Paul Black, who manages Principal Investigative Response for Asia Regional, says, “organized crime is attracted to the food service, retail and finance sectors because all of them use credit card terminals.”
Mr. Black pointed out that many of these terminals are found in public locations and are on a public network. Someone could both virtually and physically install software designed to harvest credit card info as it comes.
The analysis also found a relationship between motives, the industry and the tactics used to garner credit card data. Naturally, money was the motivator for most of the physical intrusions, which involved skimmers placed in POS devices, gas pumps and ATM machines. Mr. Black went on to state that most organized crime is motivated by money and that the tactics used are not often very advanced, but they usually make focused and carefully measured attacks.
He also said that protecting against such attacks will require more than addressing technological issues. A long-term solution involving user education and process re-engineering is needed. Furthermore, PCI security compliance is a good way for retailers to protect themselves from physical data breaches. However, Mr. Black added that organizations must also bring their compliance up to date as technology grows and develops.
“People who are PCI compliant are typically safe,” he said. “However, the way the system is attacked is dependent on the various motivations for doing so. You can’t just mark a box. It needs to be a constant process.”