Most data breach reports include what is, frankly, spurious data. A lost or stolen laptop or even a dossier of top secret information left on a commuter train seat has less to do with an increase in threats than it does with reporting requirements derived from various legislative actions. While these reports do drive home the expense, loss of reputation, and compliance requirements associated with good data protection they do not shed the same light on methodologies that Verizon does.
The most dramatic revelation is that the market value of stolen credit card data has plunged. The market is saturated with credit card data stolen from large payment processors and retailers. From prices in the $10-$12 per record range values have dropped to $.50. To understand how credit card data is used by criminal organizations look at how stolen credit card information from the infamous TJX data breach was monetized. Criminals in Florida used magnetic strip encoding machines to put the info on fake credit cards they manufactured. The account information would not even match the names embossed on the cards. They would then go to local Wal-Mart stores and purchase $400 in gift cards. One zealous carder bought $18,000 of gift cards from several Wal-Mart stores in one day. They would then exchange the gift cards for jewelry and electronics at other stores. Police estimate they stole $8 million in this manner.
Insiders vs. Outsiders
One surprising result from Verizons research was that the majority of data thefts were perpetrated by outside attackers: 74%. This is counter to the oft quoted statements of security pundits. It may have been true, before the rise of the cyber crime economy of today, that insiders were responsible for most breaches but thanks to the continuing success of data thieves, that is no longer the case. Or rather, while theft of identities are from the outside, the insider is still going to be the culprit in cases of stolen customer lists, processes, and designs. The vast majority (91%) of the stolen records in 2008 can be attributed to organized crime according to the report. So far arrests have been made in fifteen of the ninety cases that Verizon has been involved in.