Europe, Middle East and Africa (EMEA)

  • Summary

    Attackers are targeting web applications in EMEA with a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. Cyber-Espionage attacks leveraging these tactics were common in this region. Denial of Service attacks continue to cause availability impacts on infrastructure as well.


    4,209 incidents, 185 with confirmed data disclosure

    Top Patterns 

    Web Application, Everything Else and Cyber-Espionage represent 78% of data breaches in EMEA.

    Threat Actors

    External (87%), Internal (13%), Partner (2%), Multiple (1%) (breaches)

    Actor Motives

    Financial (70%), Espionage (22%), Ideology (3%), Fun (3%), Grudge (3%), Convenience (1%) (breaches)

    Data Compromised 

    Credentials (56%), Internal (44%), Other (28%), Personal (20%) (breaches)


  • As our world has become increasingly smaller over the years, it seems that the scope of our report has done the opposite.

    In that spirit of growth and exploration, we will examine data from Europe, the Middle East and Africa (EMEA) in this section. While some of our readers may consider it “over there,” the types of attacks and cybersecurity incidents experienced by those in EMEA are quite similar to what we observe in North America and elsewhere. In the EMEA region Web applications, Everything Else and Cyber-Espionage are the top patterns associated with the 185 breaches that we tracked this year (Figure 125).

    The Web Applications pattern encompasses two major attacks that greatly affect this region. The first is Hacking via the Use of Stolen Credentials, which accounts for approximately 42% of data breaches in EMEA. This scenario usually plays out in the following manner: An attacker uses credentials, typically gathered either through phishing or malware, to access a web application platform owned by the organization and commit wickedness of one type or another. This year, we’ve seen adversaries target assets such as outward-facing email servers, but also other platforms such as business-related applications. The second type of attack associated with this pattern is the use of exploits against web-facing applications to either gain access to the system data itself, or to repurpose the server for something more nefarious. These attacks within Web Applications account for the close to 20% of our breaches in EMEA this year. If you haven’t checked your external-facing websites recently for unpatched vulnerabilities or missing multi-factor logins, you might want to get on that.

  • Figure 125

  • The next pattern, Everything Else, is a catch-all category for breaches and incidents that do not readily fit into one of the other patterns. In this instance, it mostly consists of typical business email compromises (BEC) and represent 19% of the data breaches within this region. In this type of incident, fraudsters will mimic a business partner, client, executive, etc., in order to get an organization to transfer a payment over to an attacker-owned bank account. These attacks vary in degree of sophistication between spear-phishing and pretexting (where a bad actor hijacks an existing thread and insert themselves into the conversation, thereby making it much harder to catch the fraudulent action). 

  • Figure 126

  • I spy

    In third place was the Cyber-Espionage pattern, accounting for 14% of breaches in this region, which is substantially higher than the average of 3% for the overall dataset. This is an interesting finding, and there is not a clear-cut reason for it. The most likely explanation is that it may be an artifact of our data contributors and the cases they happen to encounter in that region. But then again, James Bond is British after all. In this sort of incident, one should expect to see the hallmarks of the APT attack—combinations of social attacks (phishing) to gain access, along with malware being dropped and deployed in the environment in order to maintain persistence and remain unobserved.

  • Zooming out

    If we take a step back and look at the larger class of incidents, we see that DoS attacks topped the charts for malware varieties in EMEA (Figure 126). An interesting point is that while DoS attacks accounted for a very high percentage of incidents in EMEA’s overall corpus, they actually had one of the lowest rates of BPS (bits per second) of any region. The second most common malware for the region was ransomware, which continues to be ubiquitous globally. In fact, if we remove DoS attacks, ransomware accounts for 6% percent of all incidents in EMEA, and is commonly associated with C2/backdoors, Brute forcing and Password dumpers. All the more reason we should keep our endpoints malware free and our servers locked down.