Most thefts of sensitive information from corporations occur when the victimized companies don’t know what data they have, where they have it, or who has access to it, according to a study released yesterday by Verizon Communications Inc.

In about two-thirds of the 500 data thefts investigated by Verizon’s security unit over the past several years, the targets didn’t know what information they were storing or where exactly they were storing it.

A co-author of the study, Brian Sartin, said it was typical for a company to encrypt carefully the customer information stored on its central mainframe computer — without realizing that the underlying data is available at dozens of other places.

That’s a big reason that most of the successful attacks didn’t require special skills, Mr. Sartin said. Another is that hackers go where they will have the least difficulty. Commonly, they scan for corporate machines that have known vulnerabilities and are likely to hold credit card numbers or identifying information about individuals. The study found those were the two most common payoffs.

Company insiders participated in only 18% of the breaches, although those cases tended to involve much bigger caches of information.

Outside partners of the victimized companies were the source of the improper access 39% of the time, usually unwittingly. That proportion of the total has risen dramatically in the past four years.

“Instead of targeting companies by name, criminal gangs are targeting individuals inside call centers because they have access to hundreds or thousands of companies,” Mr. Sartin said.

In one telling example, a major oil company that Mr. Sartin declined to name began getting complaints about fraudulent charges racked up on the cards of people who used the company’s gas stations. Verizon found that the only regular access to the point-of-sale systems there came from the company who sold those systems.

The password was simply the name of that company, and employees could gain access from any computer on the Internet.