The vast majority of information security breaches might have easily been prevented, a study has concluded.

An analysis of 500 forensic investigations, collectively involving 230 million compromised customer records, by Verizon Business also found that three in four (73 per cent) of the breaches stemmed from external attacks, compared to 18 per cent that were blamed on insiders. The finding runs counter to the convention wisdom that misbehaving internal employees pose a bigger threat than hackers or other external sources. Two in five security screw-ups (39 per cent) were lammed on business partners.

Nine out of ten breaches attributed to hacking attacks took advantage of a vulnerability for which a fix was available at least six months prior to an attack. Assaults on application, service or software layers were more common than assaults on operating system bugs.

Verizon's 2008 Data Breach Investigations Report also found that three in four breaches were discovered by an external organisation rather than the victims of attacks. In many cases data spills went undetected for extended periods.

The food and beverage industry accounted for more than half of the incidents investigated. The financial services market, where breaches carry higher inherent risk, accounted for 14 per cent of the cases.

The study found hacking is going international, with geographical areas of expertise emerging. Attacks from Asia, particularly China and Vietnam, often involve application exploits. Attacks on (presumably networked) point-of-sale systems often come from IP addresses in eastern Europe and Russia.

Its no surprise that the study concludes that the motives behind most of the attacks are financial. "Data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud," Verizon Business concludes. The growing black market in customer data creates an additional source of illicit income for miscreants. Verizon reckons hackers often pool resources in their efforts to attack vulnerable systems.

Verizon's report is available here (pdf). ®

Related stories

• Analysis Fog of attack clouds Best Western hack (29 August 2008)
• Best Western plays down impact of hack attack (26 August 2008)
• Breach disclosure laws have 'no effect' on identity theft (5 June 2008)
• Supermarket loses 4.2 million credit card details (18 March 2008)
• Information security breaches quadrupled in 2007 (2 January 2008)
• Fidelity employee steals 2.3 million consumer records (4 July 2007)
• Ohio data leak was 'accident waiting to happen' (22 June 2007)
• Lax security led to TJX breach (4 May 2007)
• Data theft replaces malware as top security concern (19 April 2007)
• Consumers baulk at returning to hacked stores (17 April 2007)
• How much do security breaches cost anyway? (12 April 2007)
• TJX lost up to 45.6m card numbers (29 March 2007)