Organized Crime Behind a Majority of Data Breaches

By Brian Krebs Staff Writer
Wednesday, April 15, 2009; 10:22 AM

A string of data breaches orchestrated principally by a handful of organized cyber-crime gangs translated into the loss of hundreds of millions of consumer records last year, security experts say.

The size and scope of the breaches, some of which have previously not been disclosed, illustrate the extent that organized cyber thieves are methodically targeting computer systems connected to the global financial network.

Forensics investigators at Verizon Business, a firm hired by major companies to investigate breaches, responded to roughly 100 confirmed data breaches last year involving roughly 285 million consumer records. That staggering number -- nearly one breached record for every American -- exceeds the combined total breached from break-ins the company investigated from 2004 to 2007.

In all, breaches at financial institutions were responsible for 93 percent of all such records compromised last year, Verizon reported. Unlike attacks studied between 2004 and 2007 -- which were characterized by hackers seeking out companies that used computer software and hardware that harbored known security flaws -- more than 90 percent of the records compromised in the breaches Verizon investigated in 2008 came from targeted attacks where the hackers carefully picked their targets first and then figured out a way to exploit them later.

Bryan Sartin, director of investigative response at Verizon Business, said criminals in Eastern Europe played a major role in breaches throughout 2008.

"About 50 percent of the confirmed breach cases we investigated shared perpetrators," Sartin said. "Organized crime is playing a much larger part of the caseload we're seeing. We've seen that both [the FBI] and the Secret Service have initiatives underway to go back through their cyber crime case histories over the past several years, to start tying together all of the common characteristics of the attacks to individuals, to really try and get a firm handle on the individuals responsible for these attacks."

For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record.

Shawn Henry, assistant director of the FBI's cyber division, said the bureau is making real progress in working with foreign law enforcement to track down the major sources of cyber crime.

"The sophistication of these attacks has gone up, the bravado has gone up, and our commitment is steadfast," Henry said. "We're working very closely with foreign law enforcement and with some of the victims, and we certainly recognize how significant these threats are coming from all over Eastern Europe."

One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies -- mainly financial institutions -- in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data.

"This information was recently used by several entities to discover security breaches that were otherwise undetected," VISA wrote.

The Washington Post obtained a partial list of the companies targeted by the Russian hacking group from a security researcher, which was left behind on one of the Web servers the attackers used. More than a dozen companies on that list acknowledged first learning about intrusions after being contacted by law enforcement agencies tracking the activities of the cyber gang.

CONTINUED     1           >

© 2009 The Washington Post Company