The number of significant computer security breaches at large companies, government agencies and other organizations continues to rise, and nearly all of them were variants of one of nine kinds of attacks, new research from telecom giant Verizon suggests.
According to the company’s 2015 Data Breach Investigations Report, a widely referenced annual collection of data on hacking attacks, the trends are little changed from last year. This year the report cataloged nearly 80,000 security incidents, including 2,122 confirmed security breaches in 61 countries.
Practically every breach — 96 percent — was the result of one of nine types of attacks that hackers tend to use. The finding confirms a trend that Verizon’s researchers first noticed last year after looking back on 10 years’ worth of attack data.
In cases where an organization’s systems were attacked and confidential data was disclosed, the most popular method used was attacks on Web applications, accounting for 458 breaches, Verizon says. Following that were attacks on point-of-sale systems used in stores, which accounted for 419 breaches. Attacks by state-backed organizations, which Verizon refers to as “cyber espionage,” accounted for 290 breaches.
In the case of breaches involving Web applications — business software that runs within a Web browser — attackers used stolen credentials, like user names and passwords, 95 percent of the time, and simply logged in as though they were a legitimate user.
Credentials are often stolen as the result of another kind of popular attack: Phishing, in which a target is tricked into opening malware that looks like a legitimate document. The study found that when attackers launch phishing campaigns, sending large masses of email in the hope that someone will click on them, 23 percent of the recipients will read the email and 11 percent will open the trouble-making attachment. While that may not seem high, it’s one of those situations where it takes only one careless person to cause a lot of headaches.
The study also found that certain departments within a company are more likely than others to fall victim to phishing attacks: Communications, legal and customer service, where there tend to be a lot of email attachments to open, were the top three. The best defense? “Awareness and training.”
A combined 548 breaches examined for the report were classified as “cyber espionage,” meaning they were thought to have been carried out by or on behalf of a national government against a company or other organization, like a university or a government agency in another country. However, in two-thirds of these cases, positive attribution — the “whodunnit?” part of computer security — was never definitively proven.
The largest portion of those “unattributed attacks” — more than 27 percent — were carried out against companies in the manufacturing sector, followed by attacks on government agencies. More than 77 percent of them were carried out by email — either a phishing attachment or a link in an email message. Nearly 86 percent of the time the information taken in these attacks was classified as “secrets,” including things like trade information, legal documents and intellectual property.
Seventy organizations, including law enforcement agencies like the U.S. Secret Service and computer security firms like FireEye, contributed data for the report. Two-thirds of the incidents reported occurred in the U.S., but that’s also where most of the contributing organizations are. Government agencies, technology companies and financial services firms were the ones most often attacked.
There’s a lot more to the report, which runs about 66 pages, and it’s well worth a read.
This article originally appeared on Recode.net.