2018 Data Breach Investigations Report

At a glance

Hey, thanks for stopping by the Interactive Verizon Data Breach Investigations Report (DBIR) portal. Every year we use data from around the world to publish the DBIR so that information security practitioners can understand the threats they face. But we want to put the data to work for the information security community beyond what we can do in a written report or a limited number of pages. This portal provides interactive details so you can explore the most common DBIR incident patterns for your industry. So come over, dig in, and get to know the DBIR data a bit better.

All dates on the interactive DBIR website represent the calendar year of the incident. These values will differ from the print DBIR in cases where the DBIR collection period was used. This does not affect the validity of the analysis. To read more, see the Methodology section of the print DBIR.

Geographics

Countries Represented in Combined DBIR Caseload

Year

Breach Trends

Breaches Over Time

Show

Measure

Breach trends is a retrospective look over the last several years at various components of data breaches. Specifically, the threat actors involved and the actions they leveraged, along with the assets that were impacted, and the corresponding attributes compromised.

Actors
MultiplePartnerInternalExternal
Availability
IntegrityEmbedded
Confidentiality
Availability
IntegrityKiosk/Term
Confidentiality
Availability
IntegrityMedia
Confidentiality
Availability
IntegrityNetwork
Confidentiality
Availability
IntegrityPerson
Confidentiality
Availability
IntegrityServer
Confidentiality
Availability
IntegrityUser Device
Confidentiality
Environmental
Error
Misuse
Physical
Social
Hacking
Malware
Environmental
Error
Misuse
Physical
Social
Hacking
Malware
Environmental
Error
Misuse
Physical
Social
Hacking
Malware
Environmental
Error
Misuse
Physical
Social
Hacking
Malware
Actions
Attributes
Assets

Show

Year

Actions

Discovery Methods Used Over Time

How a breach is discovered has a significant effect on its overall impact. External detection is usually a ‘lock the barn doors after the horses have left’ scenario. For internal detection, while the barn doors might be open, the horses may actually still be inside.

Show

Filter

Most Used

Least Used

Motive Breakdown By Action Subcategory

Show

Actors behave differently depending on their motivation. Understanding the factors that motivate the actors helps to determine the actions associated with them, and that knowledge can help you better tune your defenses.

Espionage

Financial

Fun, ideology, or grudge

Year

Breach events

Response Time For Breach Events

Measure

While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.

Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.

compromise

Events

exfiltration

Events

discovery

Events

containment

Events

Year

Breach Paths

Data Types

Breaches By Data Type Over Time

Measure

If a breach is defined as an incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party, then a variety of data types must be involved. Understanding what varieties are being breached can give us insights of what type data we most need to protect in our own organization.

Patterns

Pattern Breakdown

Show

Since the 2014 report, a series of nine patterns have been used to categorize security incidents and data breaches that share similar characteristics. This was done in an effort to communicate that the majority of incidents/breaches, even targeted, sophisticated attacks, generally share enough commonalities to categorize them, and study how often each pattern is found in a particular industry's dataset. This year, 94% of security incidents and 90% of data breaches continue to find a home within one of the original nine patterns.

Year

Questions? Comments?

Tweet Us

@vzdbir

Hashtag Us

#dbir