Verizon Business released their Data Breach Investigations Report (DBIR) today, an analysis of 1,152 data breaches that occurred in 2008, only 30% of which were reported. The DBIR reveals that 285 million records were exposed—more than the total number of records from 2004 to 2007.

The causes of those data breaches is alarming, enraging and disheartening. According to the DBIR,

• 62% of the data breaches occurred within the retail and financial services sectors, which are required to meet Payment Card Industry Data Security Standard (PCI DSS).
• More than 80% of the organizations affected by data breaches were not compliant with PCI DSS.
• The financial industry lost 93%, or 265,050,000, of the compromised records.
• 72% of the attacks were determined to be opportunistic; the attackers identified vulnerability and exploited it.
• 73% of the attacks were determined to be of no difficulty (requiring no special skills or resources; the average user could have done it), or low difficulty (basic methods, no customization, and/or low resources required).
• 67% were aided by significant errors.

Who committed the attacks?

• 74% resulted from external sources
• 39% involved multiple parties
• 32% implicated business partners
• 20% were caused by insiders

Though insiders are to blame for only 20% of the data breaches, they did far more damage. Per data breach committed by insiders, the median number of compromised records is 100,000, compared to a median of 37,847 records from each external breach and 27,000 (median) from a breach traced to partners.

Hackers were responsible for 64% of the data breaches, but claimed 94% of the 285 million records compromised, or 267,900,000.