2019 Data Breach Executive Summary

Investigations
Report

business ready
 2

The Verizon Data Breach Investigations Report (DBIR) provides you with crucial perspectives
on threats that organizations like yours face. The 12th DBIR is built on real-world data from
41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and
private entities, spanning 86 countries worldwide.

Who is behind the attacks? What actions are being used?

69% perpetrated by outsiders

52% of breaches featured Hacking

34% involved Internal actors

33% included Social attacks

2% involved Partners

28% involved Malware

5% featured Multiple parties

Errors were causal events in 21% of breaches

Organized criminal groups

were behind 39% of breaches
15% were Misuse by authorized users

Actors identified as nation-state or state-

affiliated were involved in 23% of breaches Physical actions were present in 4% of breaches

0% 20% 40% 60% 80% 100% 0% 20% 40% 60% 80% 100%
Breaches Breaches
Figure4.
Figure 1. Who's behind the breaches? Figure 3. What tactics are utilized?

Who are the breach victims?

Data breaches continue to make headlines around the
16% were breaches of Public sector entities world. Seemingly, no matter what defensive measures
security professionals put in place, attackers are able
to circumvent them. No organization is too large or
15% were breaches involving Healthcare organizations too small to fall victim to a data breach. No industry
vertical is immune to attack. Regardless of the type or
amount of your organization’s data, there is someone
out there who is trying to steal it. Having a sound
10% were breaches of the Financial industry
understanding of the threats you and your peer
organizations face, how they have evolved over time,
and which tactics are most likely to be utilized can
43% of breaches involved small business victims prepare you to manage these risks more effectively
and efficiently.
0% 20% 40% 60% 80% 100%
Breaches
Figure 2. Who are the victims?
 3

Key Takeaways
Take me to your leader Still held for ransom
C-level executives were twelve times more likely to Ransomware attacks are still going strong, and
be the target of social incidents and nine times more account for nearly 24 percent of incidents where
likely to be the target of social breaches than in years malware was used. Ransomware has become so
past. To further underline the growth of financial social commonplace that it is less frequently mentioned in
engineering attacks, both security incidents and data the specialized media unless there is a high-profile
breaches that compromised executives rose from target in the mix. However, it is still a serious threat
single digits to dozens in this report. to all industries. Meanwhile, some other threats that
are frequently hyped, such as cryptomining (2% of
Get out of my cloud malware), occur very infrequently in our data set.
As companies continue to transition to more cost-
efficient cloud-based solutions, their email and other Chip and Pin for the win?
valuable data migrate along with them. Criminals The number of physical terminal compromises in
simply shift their focus and adapt their tactics to payment card-related breaches is decreasing when
locate and steal the data they find to be of most value. compared to web application compromises. This may
Consequently, there’s been a corresponding increase be partly due to the implementation of chip and pin
in hacking cloud-based email servers via the use of payment technology starting to show progress.
stolen credentials. This is not an indication that cloud-
based services are less secure, however. It is simply HR strikes back
that phishing attacks, credential theft and configuration Interestingly, attacks on Human Resource personnel
errors are a natural by-product of the process. have decreased from last year. Our data set showed
6x fewer Human Resource personnel being impacted
What a tangled web we weave this year compared to last. This correlates with W-2
Payment card web application compromises are well tax form scams almost disappearing entirely from the
on their way to exceeding physical terminal DBIR data set.
compromises in payment card-related breaches. Data
from one of our contributors, the National Cyber- I click, therefore I am
Forensics and Training Alliance (NCFTA), substantiates Click-through rates on phishing simulations for data
this shift appears to have already occurred, and our partners fell from 24% to 3% during the past seven
larger data set is also trending that way. years. But 18% of people who clicked on test phishing
links did so on mobile devices. Research shows mobile
users are more susceptible to phishing, probably
because of their user interfaces and other factors.
This is also the case for email-based spear phishing
Financial
75% and social media attacks.

50%

Espionage
Breaches

25%

Other
0%
2011 2013 2015 2017
Figure 7. Threat actor motives in breaches over time

Where a motive is known or applicable, financial gain is

the most common driver of data breaches, representing
71% of cases. Espionage is the motive in 25% of breaches.
 4

Which threats does your industry face? allocation. Many DBIR readers go directly to their
Every type of organization is at risk. But certain industry to understand the threats they and their
industries are more prone than others to specific peers face. But you can gain valuable perspective
kinds of attack. This is due to a multitude of factors, from the experiences of other sectors, as well.
such as their business model, the type of data
transmitted and retained, customer base, and even
the various technologies needed to secure their
Our 2019 DBIR features a deep dive into
environment. Knowing where an attack is most likely
industries, and covers the specific threats,
to occur offers the defender the opportunity to motivations and bad actors they face.
optimize their resources and helps to drive budget

Incidents Breaches

Manufacturing (31-33)

Manufacturing (31-33)
Accommodation (72)

Accommodation (72)
Professional (54)

Professional (54)
Healthcare (62)

Healthcare (62)
Information (51)

Information (51)
Education (61)

Education (61)
Retail (44-45)

Retail (44-45)
Finance (52)

Finance (52)
Public (92)

Public (92)
Crimeware 17 31 52 76 206 58 60 4,758 21 3 3 7 1 3 5 8 8 3

Web Applications 14 30 76 71 75 40 79 93 92 14 24 70 65 45 36 73 33 88

Privilege Misuse 1 19 100 110 14 36 13 13,021 16 1 9 45 85 7 14 10 40 14

Everything Else 7 24 29 39 23 23 59 61 14 3 20 12 27 17 8 26 37 8
Pattern

Denial of Service 226 575 3 684 163 408 992 54 1

Cyber-Espionage 1 6 32 3 22 16 9 143 2 1 5 22 2 20 13 8 140 2

Miscellaneous Errors 5 37 36 104 69 14 30 1,515 12 2 35 34 97 65 12 28 58 11

Lost and Stolen Assets 4 9 9 62 4 5 14 2,820 7 1 3 2 28 1 2 5 16 3

Point of Sale 40 2 10 38 2 9

Payment Card Skimmers 21 1 10 18 1 4

Malware 61 50 96 85 244 88 91 4,922 90 46 16 33 7 33 26 29 153 70

Hacking 45 279 699 100 796 233 524 1,279 162 42 42 95 78 75 58 100 205 102

1 19 100 110 14 36 13 16 1 9 45 85 7 14 10 40 14
Action

Misuse 13,021

Social 18 43 88 91 38 56 100 201 15 14 38 69 78 32 42 69 173 10

Error 5 40 38 124 72 16 37 4,317 15 2 37 36 110 67 13 31 66 14

Physical 5 6 32 47 5 4 8 20 16 2 1 18 17 2 2 3 9 6

User Dev 40 45 69 71 41 62 58 3,009 30 33 32 38 29 19 26 29 165 16

Server 68 324 722 225 874 259 559 1,244 184 55 60 117 165 133 64 111 131 118

Person 18 45 90 93 38 58 104 201 15 14 40 70 80 32 44 73 173 10

Asset

Network 2 1 3 1 1 4 3 1 1 1 1 1 2 1 1

Media 1 10 16 98 2 2 20 777 8 1 6 13 79 2 2 14 31 7

Kiosk/Term 24 1 1 1 9 17 1 1 4

Figure 39. Industry comparison

Figure 39. Industry Comparison
(left: all security incidents, right: only breaches) 0% 25% 50% 75% 100%
 5

Accommodation & Food Services Financial and Insurance

The breach totals in our data set have decreased from last Denial of Service and use of stolen credentials on banking
year, primarily due to a lack of POS vendor incidents that have applications remain common. Compromised email accounts
led to numerous organizations being compromised with become evident once those attacked are filtered. ATM
stolen partner credentials. Skimming continues to decline.

Frequency 87 incidents, Frequency 927 incidents,

61 with confirmed data disclosure 207 with confirmed data disclosure

Top 3 patterns Point of Sale intrusions, Web applications and Top 3 patterns Web Applications, Privilege Misuse,
Crimeware patterns represent 93% of all data and Miscellaneous Errors represent 72%
breaches within Accommodation of breaches

Threat actors External (95%), Internal (5%) Threat actors External (72%), Internal (36%),
(breaches) Multiple parties (10%), Partner (2%) (breaches)

Actor motives Financial (100%) (breaches) Actor motives Financial (88%), Espionage (10%) (breaches)

Data compromised Payment (77%), Credentials (25%), Data compromised Personal (43%), Credentials (38%),
Internal (19%) (breaches) Internal (38%) (breaches)

Educational Services Healthcare

 ducation continues to be plagued by errors, social engineering

E Healthcare stands out due to the majority of breaches being
and inadequately secured email credentials. With regard associated with internal actors. Denial of Service attacks are
to incidents, DoS attacks account for over half of all incidents infrequent, but availability issues arise in the form of ransomware.
in Education.

Frequency 382 incidents, Frequency 466 incidents,

99 with confirmed data disclosure 304 with confirmed data disclosure

Top 3 patterns Miscellaneous Errors, Web Application Top 3 patterns Miscellaneous Errors, Privilege Misuse and
Attacks, and Everything Else represent 80% Web Applications represent 81% of incidents
of breaches within Healthcare

Threat actors External (57%), Internal (45%), Threat actors Internal (59%), External (42%), Partner (4%),
Multiple parties (2%) (breaches) and Multiple parties (3%) (breaches)

Actor motives Financial (80%), Espionage (11%), Fun (4%), Actor motives Financial (83%), Fun (6%), Convenience (3%),
Grudge (2%), Ideology (2%) (breaches) Grudge (3%), and Espionage (2%) (breaches)

Data compromised Personal (55%), Credentials (53%), and Data compromised Medical (72%), Personal (34%),
Internal (35%) (breaches) Credentials (25%) (breaches)

 6

Information Public Administration

Web applications are targeted with availability attacks as well as Cyber-Espionage is rampant in the Public sector, with State-
leveraged for access to cloud-based organizational email accounts. affiliated actors accounting for 79 percent of all breaches
involving external actors. Privilege Misuse and Error by insiders
account for 30 percent of breaches.

Frequency 1,094 Incidents, Frequency 23,399 incidents,

155 with confirmed data disclosure 330 with confirmed data disclosure

Top 3 patterns Miscellaneous Errors, Web Applications, Top 3 patterns Cyber-Espionage, Miscellaneous Errors and
and Cyber-Espionage represent 83% of Privilege Misuse represent 72% of breaches
breaches within Information
Threat actors External (75%), Internal (30%), Partner (1%),
Threat actors External (56%), Internal (44%), Partner (2%) Multiple parties (6%) (breaches)
(breaches)
Actor motives Espionage (66%), Financial (29%),
Actor motives Financial (67%), Espionage (29%) (breaches) Other (2%) (breaches)

Data compromised Personal (47%), Credentials (34%), Data compromised Internal (68%), Personal (22%),
Secrets (22%) (breaches) Credentials (12%) (breaches)

Manufacturing Retail

Manufacturing has been experiencing an increase in financially Card present breaches involving POS compromises or gas-pump
motivated breaches in the past couple of years, but espionage is skimmers continue to decline. Attacks against e-commerce
still a strong motivator. Most breaches involve phishing and the payment applications are satisfying the financial motives of the
use of stolen credentials. threat actors targeting this industry.

Frequency 352 incidents, Frequency 234 incidents,

87 with confirmed data disclosure 139 with confirmed data disclosure

Top 3 patterns Web Applications, Privilege Misuse, and Top 3 patterns Web Applications, Privilege Misuse,
Cyber-Espionage represent 71% of breaches and Miscellaneous Errors represent 81%
of breaches
Threat actors External (75%), Internal (30%),
Multiple parties (6%), Partner (1%) (breaches) Threat actors External (81%), Internal (19%) (breaches)

Actor motives Financial (68%), Espionage (27%), Actor motives Financial (97%), Fun (2%), Espionage (2%)
Grudge (3%), Fun (2%) (breaches) (breaches)

Data compromised Credentials (49%), Internal (41%), Secrets Data compromised Payment (64%), Credentials (20%),
(36%)(breaches) Personal (16%) (breaches)

Professional, Technical & Scientific Services

Phishing and credential theft associated with cloud-based mail

accounts have risen as the prominent attack types.

Frequency 670 incidents,

157 with confirmed data disclosure

Top 3 patterns Web Applications, Everything Else, and
Miscellaneous Errors represent 81%
of breaches within Professional Services

Threat actors External (77%), Internal (21%), Partner (5%),
Multiple parties (3%) (breaches)

Actor motives Financial (88%), Espionage (14%),
Convenience (2%) (breaches )

Data compromised Credentials (50%), Internal (50%),
Personal (46%) (breaches)

 7

Use actionable intelligence

to strengthen your security
As security threats and attackers constantly evolve,
Information Security professionals may feel attackers
Some best practices to prevent breaches
are outpacing efforts to stop them. But security
professionals and business leaders have powerful Keep it clean.
tools of their own to deploy against bad actors. Many breaches are a result of poor security hygiene
and a lack of attention to detail. Clean up human error
where possible, then establish an asset and security
The most important defense is knowledge. By gaining baseline around internet-facing assets like web servers
perspective, insight and understanding of the threats and cloud services.
they face, organizations can take crucial steps to Maintain integrity.
mitigate them. The DBIR can play an important role Web application compromises now include code that can
in providing up-to-date knowledge. Since 2014, we’ve capture data entered into web forms. Consider adding file
integrity monitoring on payment sites, in addition to patching
specified nine incident patterns that comprise the
operating systems and coding payment applications.
majority of incidents and breaches. Being aware of
these can help you configure your security methods Redouble your efforts.
and use your budget to address likely threats. 2FA everything. Use strong authentication on customer-
facing applications, any remote access and cloud-based
email. There are examples of 2FA vulnerabilities, but they
don’t excuse lack of implementation.

98% of security incidents and 88% of data breaches Be wary of inside jobs.
continue to occur within one of nine patterns. Track insider behavior by monitoring and logging access
to sensitive data. Make it clear to staff just how good you
are at recognizing fraudulent transactions.

Scrub packets.
The stakes are high, with organizations’ data, Distributed denial of service (DDoS) protection is an
customer base, proprietary business information and essential control for many industries. Guard against
trade secrets vulnerable to attacks. Data breaches nonmalicious interruptions with continuous monitoring
and capacity planning for traffic spikes.
continue to threaten organizational reputations and
finances. But security professionals have the power Stay socially aware.
to meet these challenges. Social attacks are effective ways to capture credentials.
Monitor email for links and executables. Give your teams
ways to report potential phishing or pretexting.
Get all the details, including industry-specific attack
patterns, in the 2019 DBIR.

The 2019 Verizon Data Breach Investigations Report

Sizing the losses offers security professionals and business leaders
worldwide a comprehensive look at the threat
The FBI Internet Crime Complaint Center (IC3) contributed landscape—how threats are changing, and the
to the DBIR this year with impact data from business
email compromise (BEC) and computer data breach (CDB) newest best practices to mitigate those risks.
reports. Median direct losses to threat actors are about The 2019 report is based on a detailed analysis of
$8,000 for BECs and $25,000 for CDBs. 41,686 security incidents, including 2,013 confirmed
They work hard for the money
data breaches. Now in its 12th year, the DBIR is
recognized as one of the security industry’s most
Additionally, when the IC3 Recovery Asset Team acts respected sources of insight and data.
upon BECs and works with the destination bank, half of
all US-based business email compromise victims had
99% of the money recovered or frozen; and only 9% had Download the full report:
nothing recovered. enterprise.verizon.com/DBIR2019/
 2019 Data Breach
Investigations Report
Executive Summary

© 2019 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans identifying Verizon’s products and services are trademarks and
service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks
and service marks are the property of their respective owners. 05/19