Hacktivist groups accounted for just 3% of data breaches in 2011 but 58% of the records stolen, according to a study by US telco and IT services provider Verizon.
Verizon analysed 855 data breaches that took place during the year, 90 of which affected Verizon customers. The rest of the data was collected through law enforcement agenices including the Metropolitan Police force’s e-crime unit and the United States Secret Service. Verizon says these 765 incidents were the entire data breach case load of the agencies involved.
Hactivist groups, the best known of which is Anonymous, accounted for just 3% (26) of those breaches. However, of the 174 million records that were compromised during the breaches, 58% were stolen in hacktivist attacks.
Verizon did not disclose whether last year’s attacks on consumer electronics company Sony, for which Anonymous claimed responsibility, were included in the report, although it did say that the majority of the breaches publicised in the media in 2011 were included in the data set.
Those breaches affected a total of over 100 million customers. If the Sony attacks were included in the report, they may be solely responsible for the trend that Verizon has identified.
In 2010, only 4 million records were confirmed as stolen, Verizon said. This does not mean the situation is necessarily getting worse – in 2008, the figure was 360 million. Only 4% of the attacks analysed in this year’s report were categorised as "highly difficult" to perpetrate.
Earlier this week, a report from security software vendor Symantec found that the average cost of a data breach to organisations in the UK fell from £1.9 million in 2010 to £1.75 million in 2011.
The figures were calculated by taking both direct costs, such as clean-up, consultancy fees and fines, and indirect costs, such as reputational and lost business, into account.
The study also found that employee negligence was the primary cause of data breaches in Britain, with negligence accounting for 36% of breaches in 2011.
Symantec’s Mike Jones said that companies at risk of data breaches are "becoming wise" to their financial impact. "These businesses are implementing steps not just to prevent loss but to mitigate the damage, should a breach occur," he said.
"It’s not just direct costs – such as fines from The Information Commissioner’s Office (ICO) – that need to be considered, although these help to drive the business case for preventative measures, but also indirect costs such as brand impact and disappointed customers leaving the brand."