Verizon’s annual Data Breach Investigation Report (DBIR) is out! Now in its seventeenth year, the Verizon DBIR is trusted and respected in cybersecurity for its annual reporting and analysis of incidents and breaches. This year they analyzed 30,458 security incidents, of which 10,626 were confirmed data breaches. And now are introducing a new metric that will be tracked going forward: supply chain interconnection. (Page 13)
There was a substantial increase involving the exploitation of vulnerabilities. This showed an increase that nearly tripled (180% increase) from last year. One-third of all breaches involved ransomware. An increase in extortion attacks comprise 9% of all breaches. These newer techniques resulted in a small decline in ransomware, but combined, this represents a strong growth of 32% of breaches. (Summary of Findings Page 7)
External actors are the top catalyst for breaches at 65% but Internal shows a significant increase from last year’s 20% to 35%. It’s important to realize that 73% of those Internal actor breaches were in the Miscellaneous Errors pattern.
There were no indications of attacks and potential effects through the use of the emerging field of generative artificial intelligence through the incident data that was collected. From the report: After performing text analysis alongside our criminal forums data contributors, we could obviously see the interest in GenAI (as in any other forum, really), but the number of mentions of GenAI terms alongside traditional attack types and vectors such as “phishing,” “malware,” “vulnerability” and “ransomware” were shockingly low, barely breaching 100 cumulative mentions over the past two years. Most of the mentions involved the selling of accounts to commercial GenAI offerings or tools for AI generation of non-consensual pornography. (Page 17)
There were 1,567 breach notifications related to the MOVEit vulnerability. (Page 21)
The focus on assets attacked showed 95% of breached assets were servers. (Page 24)
Roughly a third of the incidents reviewed this year were data breaches where the confidentiality of data was compromised. Personal data is unsurprisingly at the top of the list (Page 25)
Some key takeaways in looking at the Incident Classification Patterns:
- System Intrusion: 5,175 incidents, 3,803 with confirmed data disclosure, Data compromised-Personal 50% (Page 30)
- Social Engineering: 3,661 incidents, 3,032 with confirmed data disclosure, Data compromised- Credentials 50% (Page 36)
- Basic Web Application Attacks: 1,997 incidents, 881 with confirmed data disclosure, Data compromised-Credentials 71% (Page 42)
- Miscellaneous Errors: 2,679 incidents, 2,671 with confirmed data disclosure, Data compromised-Personal 94% (Page 47)
- Denial of Service: 16,843 incidents, 3 with confirmed data disclosure (Page 49)
- Lost and Stolen Assets: 199 incidents, 181 with confirmed data disclosure, Data compromised-Personal 97% (Page 51)
- Privilege Misuse: 897 incidents, 854 with confirmed data disclosure, Data compromised-Personal 83% (Page 53)See the CIS Controls for consideration included on each Incident.
The Industries section (Page 56) breaks down findings by Industry (Finance, Education, Utilities, etc). Educational Services (Page 61) discloses the Miscellaneous Errors pattern has been trending upward for the last two years in the Educational Services vertical. Not unlike the other industries that are examined, Misdelivery is front and center, accounting for 56% of errors. Loss (19%) and Classification error (10%) round off the top three error varieties.
Be sure to visit Appendix A: How to read this report for a better understanding . (Page 86)
Attribution: As stated in the report, it is permitted to include statistics, figures and other information from the report. Exact quotes are permitted.
(Page 6)