As a cybersecurity reporter, my email inbox bursts at the seams with pitches hyping reports that claim to reveal all sorts of hacking trends. Almost invariably, these lures tease outrageous findings without any mention of methodology. Nuances such as scope, number of people polled, networks analyzed, over what time period, and by what means are conveniently excluded—usually, one finds, because the stats are not up to snuff. Instead: "Hackings surged 7,000%!!! Would you like to talk to so-and-so about it?"
That's one reason why it's such a pleasure to pore over Verizon's annual data breach investigations report, one of the best-sourced surveys around. The telecom giant released its 10th edition early Thursday morning. Teaming up with 65 contributing organizations, Verizon's analysts scrutinized 42,068 security incidents, of which 1,935 qualified as full-blown data breaches. They sliced and diced the data every which way, and admirably owned up to their own blind spots. As the 76-page paper humbly submits in its characteristically folksy tone: "It is a piece of the information security puzzle—an awesome corner piece that can get you started—but just a piece nonetheless." (Later, the authors thank the reader for "once again taking the time to dig into our InfoSec coddiwomple.")
Here are some of the bits that caught my attention this year. First, each industry has its own flavor. The tech sector is the most reliable at patching its systems, sealing up 97.5% of known holes within 12 weeks of a vendor releasing software updates. (Compare that to retail and to food and hospitality, where little over 60% gets patched in the same time period.) The manufacturing, education, and public sectors are the most rife with cyberespionage, where spies seek to steal intellectual property, proprietary research, and state secrets. Healthcare is the only industry in which insider threats, meaning rogue employees, are the predominant threat actor. And financial services and insurance companies most commonly contend with distributed denial of service attacks, which overload computer servers with Internet traffic.
Another notable finding: ransomware continues to explode. The frequency of attacks featuring this malicious software, which holds victims' computer files for ransom, increased 50% in 2016 compared to the year prior, Anastasia Atanasoff, a data scientist on Verizon's security team, told me. This year ransomware clocked in as one of the top five most common varieties of malware, rocketing from 22nd place in 2014. It's worth noting that Verizon's analysts counted ransomware attacks as "incidents" rather than "data breaches" in the report, "because typically we cannot confirm that data confidentiality was violated." In other words, it's hard to know whether the attackers actually laid eyes on the data they locked up.
For some Saturday reading, I recommend the full report. No document provides a more rigorous overview of the security challenges businesses face today. In an industry where marketing puff often crowds out reliable information, the Verizon report is a welcome read.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune's daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Nixing North Korea's nukes. A brimming crisis over the Hermit Kingdom's pursuit of nuclear weaponry and intercontinental ballistics technology is proving to be the defining foreign policy issue of the Donald Trump presidency. The commander-in-chief warned that the situation could result in a "major, major conflict" in a sit-down with Reuters this week. Secretary of State Rex Tillerson chaired a special U.N. Security Council meeting that addressed the threat on Friday. Needless to say, I would love to know all the spycraft the U.S. is pursuing to collect signals intelligence around this thorny problem. (Reuters, Fortune)
NSA dials back data collection. The National Security Agency said it would cease collecting Internet communications "that merely mention a foreign surveillance target," because it was having trouble protecting Americans' privacy in the process. This means that emails containing email addresses or phone numbers associated with surveillance targets will no longer automatically be stored in a repository for analysts to parse. The authority under which the NSA spies on foreign targets—Section 702 of the Foreign Intelligence Surveillance Act—is set to expire at the end of this year (unless, of course, it is renewed). (New York Times, Reuters, NSA.gov)
Would you like guacamole with that hack? While reporting earnings this week, the restaurant chain Chipotle disclosed that its payment systems suffered a security breach. Chief financial officer Jack Hartung told analysts that "we recently detected unauthorized activity on a network that supports payment processing for purchases made in our restaurants," while noting that the incident occurred between March 24 and April 18. The notice tempered some good news; Chipotle's sales have finally rebounded from its 2015 E. Coli debacle. (Fortune)
A suspicious case of Internet traffic hijacking? For roughly five minutes on Wednesday, 36 large chunks of network traffic belonging to giants such as MasterCard, Visa, Symantec, EMC, and more than two dozen financial services companies were routed through Rostelecom, a Russian telecom company in which the Russian government owns a 49% stake. The incident, possibly inadvertent or accidental, seemed "quite suspicious" to Doug Madory, Internet analysis director at Dyn, a DNS management company recently acquired by Oracle. Such a hijacking, based on vulnerabilities in the so-called Border Gateway Protocol that routes Internet traffic, could allow attackers to intercept and manipulate data—a worrisome possibility. (Ars Technica)
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
With some exemplary gumshoe reporting, Fortune's Jeff John Roberts uncovered the identities of the two tech titans fleeced out of $100 million by a 40-something Lithuanian man between 2013 and 2015. Come for the scoop, stay for the discussion of broader implications with former SEC chief Mary Jo White.
When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme. The mystery is now unraveled. A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the unnamed companies plus other details of the case. The victims were Facebook and Google. Read more on Fortune.com.
Russian Gets Longest U.S. Hacking Sentence Ever, by David Z. Morris
Uber Unveils Simple New Privacy Settings, by Jeff John Roberts
Former Lyft Driver Sues Uber Over 'Hell' Tracking Program, by Julia Zorthian
Halt Hackers in their Tracks With This Simple Key, by Robert Hackett and Jeff John Roberts
ONE MORE THING
How McAfee is securing its future. Chris Young is leading McAfee, the three-decade-old antivirus software pioneer, after a $4.2 billion spinout from Intel in April. Independence from the $60 billion chipmaker will afford McAfee "a little bit more freedom and flexibility" when it comes to deciding its own fate, Young tells Fortune senior writer Michal Lev-Ram. Now Young's got to figure out how to move the company forward—he suggests it's investing in machine learning technology. (Fortune)