E-commerce, not POS, source of most retail breaches

For all the attention paid to point of sale systems as the cause of security breaches at retail, e-commerce breaches are really more common, according to a new report from Trustwave.

While payment card data continued to top the list of the types of data compromised, the report notes that 45 percent of data thefts in 2013 involved confidential, non-payment card data — a 33 percent increase from 2012. Non-payment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.

E-commerce breaches were the most rampant, making up 54 percent of assets targeted. POS breaches accounted for 33 percent of the 2013 investigations and data centers made up 10 percent. Trustwave experts expect POS and e-commerce compromises to dominate into 2014 and beyond.

Of all the industries included in the study, retail had the dubious honor of being the top industry compromised, making up 35 percent of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18 percent and hospitality ranked third at 11 percent. The United States overwhelmingly houses the most victims at 59 percent, more than four times as many as the next closest victim location, the United Kingdom, at 14 percent. Australia was ranked third, at 11 percent followed by Hong Kong and India, both at two percent. Canada ranked sixth at just 1 percent.

Malware continues to be the top method for getting inside and stealing data, and once again, the United States is ranked No. 1 as the top malware-hosting nation. Cyber criminals relied most on Java applets as a malware delivery method; 78 percent of exploits Trustwave detected took advantage of Java vulnerabilities and 85 percent were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader. A recent report from Checkpoint found Malware on 84 percent of enterprise systems.
Trustwave found that spam made up 70 percent of inbound mail, however malicious spam dropped five percent in 2013. Fifty-nine percent of malicious spam included malicious attachments and 41 percent included malicious links.

The Trustwave report confirmed what Target (NYSE:TGT) already knows: That employees and individual users often open the door to criminals. Easily-guessable passwords are among the biggest culprits and led to an initial intrusion in 31 percent of compromises.

There has been increased vigilance and attention paid to cyber security in the wake of Target and other retailers' massive data breaches. In 2013, Trustwave found that 96 percent of scanned applications harbored one or more serious security vulnerabilities. Will this number drop in next year's report?

For more:
-See this Trustwave press release
-See this FierceITSecurity story

Related stories:
Target, JCPenney, RILA members form group to fight cyber crime
EMV migration won't save retail
Target: Timeline of a data breach
Target: Stolen vendor data led to breach, costs reach $153M
Data hacks: FBI says more breaches in store, Neiman Marcus says 1.1M cards at risk