Cybercriminals have shifted their focus away from stealing payment card data in favor of targeting personal information and directly extorting victims, according to a new report from SurfWatch Labs.
The trends aren’t surprising, said SurfWatch Labs chief security strategist Adam Meyer, who discussed the report on this week’s Cyber Chat podcast. Cybercrime is a business, and malicious actors gravitate towards the process that gives them the largest return on their effort.
While extortion is perhaps the most direct path towards monetizing cybercrime, stolen personal information has a long shelf life and can be easily sold or used for authentication purposes. It also tends to be the low-hanging fruit as retailers and financial institutions improve at preventing or minimizing the losses around payment card information.
“All these identifiers that make you ‘you’ can be used in 20 different ways to conduct an attack,” Meyer said. “It makes complete sense why we’re seeing this trend come up.”
While 2014 was dominated by headlines surrounding point-of-sale (PoS) breaches, only three PoS breaches cracked last year’s top 25 trending cybercrime targets: Starwood Hotels & Resorts (#14), Hyatt Hotels (#17) and Dixon’s Carphone (#23).
Altogether, SurfWatch Labs collected CyberFacts related to 4,562 distinct industry targets last year.
The top trending cybercrime targets last year — the United States Office of Personnel Management, Anthem, and Avid Life Media — all centered around the theft of personal information.
“A Failure of Corporate Culture”
The rise in stolen personal information can be attributed to failures at the top of many organizations, Meyer said.
“The biggest vulnerability that we have in my opinion is outdated corporate culture,” he said. “They completely have their heads in the sand about what’s going on in the world.”
Despite all of the recent headlines around cybersecurity, many organizations still do not adequately assess their level of cyber risk and take the necessary precautions.
“No one is really trying to solve this problem at the decision maker level,” Meyer said. “The organizations are falling down on educating themselves on these issues until its too late.”
He added: every organization is a custodian of data, and the first step to mitigating cyber risk is to put a thought process in place assessing the risks facing your data, your infrastructure, your industry, and your partners and suppliers.
Dark Web and Other Cyber Risk Trends
Dark Web markets can provide valuable insight into many cybercrime trends.
“The black market is a great resource to look at what is the typical state of the underground economy,” Meyer said. “You can see what’s being bought and sold. You can see what prices they’re generating. You can see the tempo and the supply and demand aspect of things, and you can use that information to compare against where would you fit in that.”
Unfortunately, there’s not enough education on what happens to data once it is stolen, he added.
“This is where the stuff goes most of the time, and we’re not educating anybody on where it’s going and why it’s going there. And people just keep repeating the mistakes over and over and over.”
Listen to the full conversation with SurfWatch’s Adam Meyer below, or download the SurfWatch Cyber Risk Report: Year in Review.
About the Podcast:
SurfWatch Labs recently released a threat intelligence report detailing cyber risk trends. They noted that cybercriminals have shifted their targets over the past year from focusing on credit card information at financial institutions to increasingly stealing personal information across a swath of industries.
On today’s Cyber Chat we talk with our own Adam Meyer, Chief Security Strategist at SurfWatch Labs, about the report, cyber risk trends and what businesses need to do in order to stay ahead of cybercriminals.
Download the Cyber Risk Report: Year in Review here: http://info.surfwatchlabs.com/cyber-risk-year-in-review-2015