Hackers grabbed more than 285M records in 2008

SAN FRANCISCO -- Hackers made off with at least 285 million electronic records in 2008, more than in the four previous years combined, according to a new study that shows identity thieves are getting better at exploiting careless mistakes that leave companies vulnerable to attack.

The number comes from a study of 90 data breaches investigated by Verizon Communications Inc., which is hired to do a post-mortem on most big computer intrusions.

No victims are identified in the report. Many of the breaches aren't even public. That can happen if law enforcement insists on secrecy because of an ongoing criminal investigation, or if personally identifiable information wasn't lost in the hack.

In many breaches, especially involving lost or stolen laptops, the records aren't used for anything at all.

Verizon's study looked only at breaches involving attacks that resulted in compromised records being used in a crime, like making counterfeit credit cards and buying homes and medical coverage under someone else's identity — and on their dime.

The company found that 90% of the breaches it investigated could have been avoided with basic security measures.

One of those is recognizing how valuable so-called "non-critical" computers are to hackers.

Peter Tippett, vice president of research and intelligence for Verizon's business security solutions division, says criminals aren't looking to crash through the front door with a brazen computer attack. Often they're content to feel around the edges and look for vulnerabilities that can get them in through the equivalent of a side window.

Even by tapping into computers of low-level employees who don't handle sensitive data, hackers can get a toehold for installing more malicious software that scans the network traffic and looks for vulnerabilities in other computers.

The study also found that data breaches are getting more severe because criminals are using sophisticated new programs that were custom-designed for particular attacks and weren't known to the security community or law enforcement.