A few short years ago, cybercrime was all about stealing payment card data, usually for resale via dark web markets.

A brief look at the 2008 Data Breach Investigations Report (DBIR) finds that, back then, payment card data was targeted in 84% of all data breaches, while personally identifiable information (PII) and credentials were way down at 32% and 15%, respectively.

Similar to the reduction in attacks targeting POS devices and servers, this is partly a result of improved security and regulation in this area.

This article is the fourth in a series summarizing the findings of our new report:


Today, we’re examining what cybercriminals do when their favorite target is hard to get: improvise.


Stealing Personal Data for Fun and Profit

Today, PII (including personal health information, or PHI) is targeted in almost half of all breaches, followed by credentials at 45% and payment card information at less than 10%. The motivation behind targeting PII and credentials is simple:

  • PII is easy to sell via criminal markets, providing an easy “cash out” option for cybercriminals. Typically, the information is used by other groups to conduct fraud.
  • Credentials are also easy to sell. They are typically used for basic password reuse attacks (i.e., theft or fraud operations against individuals or businesses) or to conduct privileged cyberattacks against the same targets.

This highlights the circular nature of the cybercriminal economy, which essentially feeds itself. One breach can easily lead to more (and more serious) consequences if affected organizations either don’t detect the initial breach or fail to take sufficient action to prevent more.


Motivations Over Time

If we had to summarize cybercriminal motivations in a word, it would be profit. In every edition of the DBIR (15 so far), financial has been the #1 motivation for cybercrime by a wide margin. This year, over 90% of reported breaches were financially motivated. However, this doesn’t tell the full story.

Three other motivations are worthy of mention: espionage, hacktivism, and grudges.

While practically absent from the DBIR until 2016, espionage plays a significant role in today’s cyber activity. It accounts for around 4% of breaches across all organizations and 10% for large organizations. Typically, these attacks are above average in sophistication, and, as with supply chain attacks, it’s likely that many espionage attacks simply go unnoticed.

Moving in the opposite direction, hacktivism was once a serious issue, accounting for a large portion of incidents between 2011 to 2015. Prominent organizations including the Syrian Defense Ministry, the U.S. Executive Branch, and Sony (no, not that time—a different one) were targeted by politically or socially motivated hacking groups in response to actions those groups deemed “unacceptable”.

Today, hacktivism is barely a blip on the cyber breach radar. It does happen—it’s just less common and tends to affect organizations that are accustomed to being targeted. It does, however, factor more significantly into security incident figures, particularly when it comes to DDoS. More on that shortly.

So what about grudges? Attacks launched by (for example) disgruntled employees have always prompted fear. This is for good reason. We’ve noted that malicious internal breaches have outsized impacts, resulting in greater financial and operational losses for affected organizations. However, “grudge-like” attacks have always been the minority, accounting for a few percent of breaches yearly.


TL;DR: Show Me the Money

Despite the odd high-profile story about hacktivism, grudges, and state-sponsored espionage—the overwhelming majority of cybercrime is financially motivated.

So, while you should certainly give thought to protecting any trade secrets your organization might hold (particularly if you work at a university or research-led organization), most of your attention should be devoted to protecting assets with the highest resale or reuse value—PII and credentials.


Get the Full Cybercrime Story

A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, “Cybercriminals go where the money is,” or as complicated as digital forensics and malware analysis.

In our new report, we’ve striven for a happy medium that gives insight into current, past, and possible future cybercrime trends without getting bogged down in unnecessary details. We’ve also included the most important steps to protect against cybercrime over the next decade.

Download the report to learn:

  • Why cybercriminals have moved away from payment card data and towards credentials and PII.
  • The four most common attack vectors and what they reveal about threat actors’ motivations.
  • Why hacktivism and grudge attacks have dropped significantly, and what’s replaced them.
  • Where cybercrime will definitely go over the next few years—plus longer-term predictions from industry veterans Dr. Zero Trust (Chase Cunningham) and Dan Schaupner.


Lauren Yacono
Post by Lauren Yacono
May 25, 2023
Lauren is an IU graduate and Chicagoland-based Marketing Specialist.

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time