Regions: Introduction

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

This edition of the DBIR marks the fourth year we have examined cybercrime incidents from a macro-regional point of view. We hope our readers find this broader look at cybercrime useful and instructive. As previously mentioned, our visibility into a certain region is determined by many variables, including contributors, regional disclosure laws and our own data. If your part of the world is not featured in the following pages, please contact us about becoming a data contributor and motivate other organizations in your area to do the same so that we can keep growing and improving our coverage each year. Even if your region is not represented here, this does not mean we have no visibility into the region but rather that we don’t have enough incidents in that geography to have a statistically significant section.

We define the regions of the world in accordance with the United Nations M4958 standards, which combines the super-region and sub-region of a country together. By so doing, the regions we will examine are as follows:

APAC: Asia Pacific, including Southern Asia (034), South-eastern Asia (035), Central Asia (143), Eastern Asia (030) and Oceania (009)

EMEA: Europe, Middle East and Africa, including Northern Africa (015), Europe (150) and Eastern Europe (151) and Western Asia (145)

LAC: Latin America and the Caribbean, including South America (005), Central America (013) and Caribbean (029)

NA: Northern America (021), including the United States and Canada

As in previous years, we have sliced and diced our data in many ways, and this time we are presenting the data for the various regions a little differently. Long-time readers will recognize the At-a-Glance tables that we put in each major section, only in this case, we’ve combined them to give you an easy way to see just how similar (and different) each of the regions are with regard to the frequency, top patterns, etc.



Top patterns

Threat actors

Actor motives

Data compromised


699 incidents, 164 with confirmed data disclosure

Social Engineering, System Intrusion and Basic Web Application Attacks represent 93% of breaches

External (92%), Internal (9%), Partner (2%), Multiple (2%) (breaches)

Financial (61%), Espionage (39%), Convenience (2%), Grudge (2%), Secondary (1%) (breaches)

Internal (56%), Secrets (42%), Other (33%), Credentials (29%) (breaches)


2,557 incidents, 637 with confirmed data disclosure

System Intrusion, Social Engineering and Basic Web Application Attacks represent 97% of breaches

External (98%), Internal (2%), Multiple (1%) (breaches)

Financial (91%), Espionage (8%), Ideology (1%), Fun (1%) (breaches)

Credentials (53%), Internal (37%), System (35%), Other (15%) (breaches)


535 incidents, 65 with confirmed data disclosure

System Intrusion, Social Engineering and Basic Web Application Attacks represent 94% of breaches

External (95%), Internal (5%), Partner (2%), Multiple (2%) (breaches)

Financial (93%), Espionage (11%), Ideology (2%) (breaches)

System (55%), Internal (32%), Classified (23%), Credentials (23%), Other (19%) (breaches)


9,036 incidents, 1,924 with confirmed data disclosure

System Intrusion, Basic Web Application Attacks and Social Engineering represent 85% of breaches

External (94%), Internal (12%), Multiple (9%), Partner (2%) (breaches)

Financial (99%), Espionage (1%), Grudge (1%) (breaches)

Credentials (67%), Internal (50%), Personal (38%), Other (24%) (breaches)


It is readily apparent that the System Intrusion pattern is top of the heap for all regions except APAC, where it is still a large problem, just not as pressing as Social Engineering. It is also quite clear that the who and why behind cybercrime is the Financially motivated external actor. We see more variation in the data types favored by these actors in the different regions, and while our data frequently shows us the “what,” it rarely tells us the “why.”  It may be that certain data types are better protected by regulatory requirements in certain regions versus others. It may be some other factor we haven’t thought of; it’s hard to say. But clearly, Credentials are still figuring prominently and need to be made less valuable when breached (hint: we’re looking at you, MFA).

Just feast your eyes on these lovely heatmaps in Figure 63. This is our favorite way to illustrate how different (or similar) these attacks are based on geography. When broken out by pattern and region, you can clearly see that although there are definitely differences (many of which are no doubt based on industry and their resulting common infrastructure partners), there are some concentrations for each region as well as across regions. 

Hopefully this is illustrative of what your region—and, when combined with other data in this report, industries and organization size—is most prone to in terms of attacks so that you can better direct your defensive strategy. If you’re still unsure where to start and you skipped over the SMB section, it is a good reference for how to apply the information in this report.


Let's get started.