If you happen to have been a victim of hacking over the past 12 months and want to know where the culprits are, look no further than China, which has just been fingered as the origin of around 30% of all data breaches during 2012.

Verizon’s 2013 Data Breach Investigation Report (DBIR), published this morning, shows that China topped a list of 40 countries thought to be responsible for the most cyber attacks over the last year. Just behind it was Romania, from where 28% of all data breaches originated from, followed by… You guessed it, the United States, which came in third position, accounting for 18% of all security breaches.

Verizon’s report only discussed the top ten threat origins, with the other 30 countries not being named.

It’s All China’s Fault. Or Is It?

One of the most interesting facts about China’s impressive data theft record is that some 96% of all breaches attributed to it were motivated by cyberespionage, as opposed to financial gain which was the chief motivating factor in the other nine countries.

However, the report warns that people shouldn’t jump to conclusions about China just yet:

“This may mean that other threat groups perform their activities with greater stealth and subterfuge, but it could also mean that China is, in fact, the most active source of national and industrial espionage in the world today,” the authors noted.

Speaking to ZDNet earlier today, Verizon’s Senior Security Consultant Patrick Lum elaborated on this point, saying that China was not necessarily the biggest perpetrator of cyber crime. One factor to consider is that internet regulations in China are generally much more lax than those of other nations, making it easier for hackers to operate there without detection or hindrance.

Data Breaches By The Numbers

This year’s was the sixth successive annual edition of Verizon’s report. The authors looked at more than 47,000 ‘incidents’ from around the world, of which, 621 of them were confirmed as data breaches. Co-authoring the report alongside Verizon were experts from 18 organizations, including the CERT Insider Threat Center at Carnegie Mellon University, Malaysia Computer Emergency Response Team (MyCERT) of Cybersecurity Malaysia, and Deloitte.

As well as identifying the perpetrators of data breaches, the report also looked at what industries were affected, finding that there are few which should not consider themselves a target. Somewhat predictably, financial firms were targeted the most often, accounting for 37% of all victims. Retailers and restaurants came second, being targeted 24% of the time, followed by manufacturing, transportation and utilities industries 20% of the time. Also hit were organizations described as “information and professional services” providers, which accounted for another 20% of breaches.

Wade Baker, one of the report’s principal authors, sums up the threat as follows:

“The results validate that any business that operates online is at potential risk of suffering a data breach. We talk to a lot of actors that are flabbergasted that they would be attacked by a group based across the world. But the report shows that no matter the size of the organization — large, small, government agencies, banks, restaurants, retailers — people are stealing data from a range of different organizations and it’s a problem everyone has to deal with.”

Lax Security Measures The Biggest Problem?

Truly, people will never learn. According to the report, once again the biggest cause of all data breaches was attributed to weak or stolen passwords and user names, this being the case in a whopping 76% of cases. In addition, hackers used tried and trusted techniques such as spear phishing and other ‘social tactics’, i.e. sending a message or email to a user, purportedly from one of their contacts. Invariably, this message contains a link or attachments that, once clicked, inject malware onto the user’s system. Verizon says that this method of attack accounted for around 29% of all data breaches, almost four times as many as the year before.

Finally, the report also highlights one of the biggest worries with data breaches, namely the time it takes for organizations to discover them. Typically, this metric is measured in months and even years, as opposed to hours or days, suggesting that companies need to do a lot more checking to ensure the integrity of their data.

For more information, readers can download Verizon’s 2013 Data Breach Investigation Report here.