2019 data breach investigations report · back in 2014 we identified nine incident patterns that...

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.


distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 1



2019 Data Breach Investigations Report



This document and any attached materials are the sole property of Verizon and are not to be used

by you other than to evaluate Verizon's service.

This document and any attached materials are not to be disseminated, distributed or otherwise

conveyed throughout your organization to employees without a need for this information or to any

third parties without the express written permission of Verizon.

© 2019 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and

slogans identifying Verizon's products and services are trademarks and service marks or registered

trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United

States and/or other countries.

All other trademarks and service marks are the property of their respective owners.

Proprietary Statement



For security practitioners. Written by security practitioners.

Unparalleled reach into breach insights.

3

12 years

86 countries

73 contributors

41,686 security incidents

2,013 data breaches



2019 DBIR Contributors (n=73)



Back in 2014 we identified nine incident

patterns that cover most of the threats

likely to be faced.

98.5% of security incidents and 88% of

confirmed data breaches continue to fall

into these across the 2019 report.

Pattern consistency allows security

professionals to prioritize spend when

looking at investments on IT/OT/IoT

Security.

Leveraging our intelligence.Incident Classification Patterns.

5



C-level executives

increasingly and proactively

targeted by social breaches

Senior executives are 12x more

likely to be the target of social

incidents, and 9x more likely to be

the target of social breaches than

in previous years – and financial

motivation remains the key drive.

Financially-motivated social

engineering attacks (12%) are a

key topic in this year’s report,

highlighting the critical need to

ensure ALL levels of employees

are made aware of the potential

impact of cybercrime

Hot Topics

6

New analysis from first time

contributor: FBI Internet

Crime Complaint Center

(IC3)

Provides insightful analysis of the

impact of Business Email

Compromises (BECs) and

Computer Data Breaches (CDBs).

When the IC3 Recovery Asset

Team acts upon BECs, and works

with the destination bank, half of

all US-based business email

compromises had 99% of the

money recovered or frozen; and

only 9% had nothing recovered.



Hot Topics

7

Shift in attacker behavior

towards cloud-based

services

Compromise of web-based

email accounts using stolen

credentials (98 percent) is rising

(seen in 60 percent of attacks

involving hacking a web

application

Publishing errors in the cloud

are increasing year-over-year,

exposing at least 60 million

records analyzed in the DBIR

dataset. This (misconfiguration)

accounts for 21 percent of

breaches caused by errors.



• One quarter of all breaches are still associated with

espionage.

• External threat actors are still the primary force behind

attacks (69 percent of breaches) with insiders accounting for

34 percent.

• Chip and Pin payment technology has started delivering

security dividends - the number of payment card web

application compromises is close to exceeding the number of

physical terminal compromises in payment card related

breaches.

Other Key Findings

8



• Ransomware attacks are still strong, accounting for 24

percent of the malware incidents analyzed; ranking as #2 in

the malware varieties most used.

• Media-hyped crypto-mining attacks were hardly existent -

these types of attacks were not listed in the top 10 malware

varieties, and only accounted for roughly 2 percent of

incidents.

• Attacks on Human Resource personnel have decreased from

last year - findings saw 6x fewer of those professionals

being impacted this year compared to last, correlating with

the W-2 scams almost disappearing from the DBIR dataset.

Other Key Findings (2)

9



Unbroken Chains – Path-based attack analysis

10

• Most of the successful attacks are short, likely because it is both cheaper and easier for the attacker (or the

breach is simply due to a single error).



Unbroken Chains – Path-based attack analysis

11

• When you examine the

attack paths, the

“malware” threat action

variety usually doesn't

begin a breach (it is

normally a second or

later step on the

compromise)

• Also, breaches rarely

end with a ‘social’ action,

(so if you see a social

attack, you can expect

more to follow).



• Accommodation and Food Services

• Educational Services

• Financial and Insurance

• Healthcare

• Information

• Manufacturing

• Professional, Technical & Scientific Services

• Public Administration

• Retail

Details by Vertical



Accommodation and Food Services

13

• While POS breaches are

often a small business issue,

large hotel and restaurant

chains can learn from this

data, and if they use a

franchise business model--

disseminate this knowledge

to their franchisees.

• In fact, 100 percent of POS

breaches in this industry

were discovered via external

methods. This is a clear

indicator that while there is

work to be done on

preventative controls around

POS compromise, there is

equal room for improvement

in detecting compromise.



Educational Services

14



Financial and Insurance

15

• In this industry, we acknowledge,

but filter, over 40,000 breaches

associated with botnets to be

analyzed separately.

• Physical attacks against ATMs

have seen a decline from their

heyday of the early 2010’s. We

are hopeful that the progress

made in the implementation of

EMV chips in debit cards,

influenced by the liability shift to

ATM owners, is one reason for

this decline.



Healthcare

16

• Unsurprisingly, Medical data is 18

times more likely to be

compromised in this industry.

• When an internal actor is involved,

is it 14 times more likely to be a

medical professional such as a

doctor or nurse.

• Databases are a favorite for

internal misuse, and those attacks

take longer to discover versus

attacks by external actors.

• Over 70% of all malware in this

vertical was ransomware.



Information

17

• The disparity between external

attackers (56%) and internal

attackers (44%) is less than in

most other industry verticals

represented.

• Information has one of the

highest amounts of the data type

‘Secrets’ (22%) stolen among

industries.

• Error (43%) is one of the top two

causes of data breaches in this

industry.



Manufacturing

18

• For the second year in a row,

financially motivated attacks

outnumber cyber-espionage as

the main reason for breaches in

manufacturing, and this year by a

more significant percentage (40%

difference).

• Speaking to the web application

attacks, this industry shares the

same burden of dealing with stolen

webmail credentials as other

industries did. Most breaches with a

web application as a vector, also

featured a mail server as an

affected asset. From an overall

breach perspective, the use of

stolen credentials and web

applications were the most

common hacking actions and

vector



Professional, Technical & Scientific Services

19



Public Administration

20



Retail

21



• While we have observed a definite shift in attacker behavior towards

cloud-based services for email and online payment card processing

systems, this does not indicate that there are necessarily any inherent

weaknesses associated with those environments.

• Instead, we believe this to simply be a result of the attacker changing

tactics and targets to meet the corresponding change in the locations

of valuable corporate assets.

• As the victim organizations increasingly migrate to cloud based

solutions, the attackers must alter their actions in order to access and

monetize those assets.

• The evolving job of the CISO/CSO is to understand how this large-

scale digital relocation changes the landscape, and how they can

make known risk vectors more or less likely.

Wrapping up - DBIR

22

“The more things change, the more they stay the same”.



Questions?

23

https://enterprise.verizon.com/resources/reports/dbir/

https://enterprise.verizon.com/resources/reports/dbir/

2019 data breach investigations report · back in 2014 we identified nine incident patterns that...

Documents