Karen Dearne | August 26, 2008
DATA thieves are switching their attention to softer targets such as Australia, as US and European companies harden their defences against losses of customer identity and credit card information.
Bryan Sartin, head of Verizon's business investigative response team, says Australia is top of the list for organised criminals trawling for victims in countries with no data breach notification laws and a low rate of compliance with the payment card industry data security standard.
The biggest change in the past year had been the shift in data compromises as criminals sought targets that were lax about security, Sartin says.
"In 12 months, demand for our computer forensics services has shifted 180 degrees," he says.
"In April, there was more demand for our work in Australia than in the US and Canada combined."
Sartin attributes the change to the large monetary penalties non-compliant merchants face under the industry standard when breaches occur.
When the first industry deadline with demonstrable fines attached came into effect in the US last September, it was business as usual for the first couple of weeks, he says.
"Then, like clockwork, we saw the perpetrators realise these guys have really wised up.
"Then they started looking for other areas where these compliance standards are not in place or, at least, where there are no financial penalties."
Australia's mentality has been that these things do not happen here. Now the nation is paying the price.
Sartin has been in Australia four times in the past six months and says Verizon is involved in a series of investigations, including some high-profile cases in Sydney and Melbourne.
Many of the cases involve online merchants who have identified compromised customer credit or debit card transactions.
Often the data has been stolen by business partners or third parties with authorised access to company systems.
Sartin says such partial insiders account for 39 per cent of data theft.
The typical partial insider works for a company that supports mainframes, sells point-of-sale systems, or collects back-up tapes.
"We expect that by the middle of next year breaches by partial insiders will surpass those of anonymous external intrusions, and they already outstrip internal threats," Sartin says.
Partial insiders are defined as those who for legitimate business reasons, have access to an organisation's critical servers and sensitive data, and are in a position to misuse that data for fraudulent purposes.
The trend of the partial insider is being fuelled by organised criminals, who are shying away from the risk of exposure and prosecution inherent in attacking high-profile companies.
Instead they are identifying vulnerabilities in certain software packages or particular makes and models of hardware. Then they look for the vendors and businesses supporting those applications and products in the business environment.
"They go to the call centres, the offshore web developers, the contractor groups, and recruit someone who has access to hundreds or thousands of customers who have systems with vulnerabilities, hates their boss, and has financial problems," Sartin says.
Essentially, vendors are making customer lists available to the information black market, but it is not the organised criminals who take the fall when the cases go to court.
Retail businesses are particularly vulnerable to this risk, as they tend to outsource certain functions and use a small range of niche systems.
"It is not uncommon for a retailer to have 1000 stores located in four countries but only 200 IT people, and they're all in one office," Sartin says.
"They have to rely on vendors to support their most critical systems and handle their most sensitive data.
"We call those cash-register cases. When the vendor of a restaurant point-of-sale system, for example, starts selling either data or access to their customers' systems, that's not just one or two companies getting hit - we'll have 20 or 30 restaurants coming to us with the same problem."