VERIS Attributes

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

As we often need to remind our very young children and grandchildren, actions have consequences.49 Incidents and data breaches are no different,50 and said consequences will often materialize as data leaks (confidentiality issue), unauthorized changes on your assets (integrity issue) or a loss of access to your data (availability issue).

More frequently than not, all of them can take a hit over the course of a multistep breach. Figure 23 demonstrates how often those three pillars were compromised over time in one of our charts with the most “DBIR charts do not add up to 100% because events are non-exclusive” energy thus far.

Roughly a third of the incidents we reviewed this year were data breaches where the Confidentiality of data was compromised. Figure 24 has the breakdown of data varieties that were leaked in breaches this year, and Personal data is unsurprisingly at the top of the list.

This continuous prevalence of Personal data in the top spot is in a way a self-fulfilling curse because the breaches that get more frequently disclosed will be the ones involving customer data where regulation requires the affected victims to be notified. Furthermore, customer data is so prevalent and hoarded without need or proper care that it will often be collateral damage in any sort of attack that might not even be specifically targeting it.

Internal company data (such as emails and business documents) and System-specific data also overshadow more exclusive targets such as Payment, Bank, Medical and Secrets. We have often described how the Ransomware (and now pure Extortion) breaches mean that the threat actors don’t need to care about the data they are stealing because they will always have the victim organization as the main buyer. We dig into ransomware, ransom amounts and extortion economics in the “System Intrusion” pattern section later in the report.

Data Breach Investigation Report figure 23
Data Breach Investigation Report figure 24
Data Breach Investigation Report figure 25

In addition, we are observing a decline in the Credentials data type from a percentage point of view. This is because the percentage of breaches caused by Error actions is rising (again as a result of our sample) as opposed to external actors who are exploiting weak credentials though credential stuffing or brute force attacks.

As a final curiosity, another side effect of the growth of extortion non-encrypting attacks has resulted in a significant bump in the Alter behavior variety under integrity. This is the integrity violation we get when Persons are influenced by external threat actors, and it is also a common outcome from a Phishing or Pretexting social action.

To see it overcome the Obscuration variety (the usual outcome of the Ransomware action) in such a sharp way in Figure 25 could be a harbinger of things to come. The consequence of which is that System Intrusion pattern attacks become more prevalent in the long run.

Attribute categories51

Confidentiality (cp): refers to limited observation and disclosure of an asset (or data). A loss of confidentiality implies that data were actually observed or disclosed to an unauthorized actor rather than endangered, at-risk or potentially exposed (the latter fall under the attribute of Possession or Control52). Short definition: limited access, observation and disclosure.

Integrity (ia): refers to an asset (or data) being complete and unchanged from the original or authorized state, content and function. Losses to integrity include unauthorized insertion, modification and manipulation. Short definition: complete and unchanged from original.

Availability (au): refers to an asset (or data) being present, accessible and ready for use when needed. Losses to availability include destruction, deletion, movement, performance impact (delay or acceleration) and interruption. Short definition: accessible and ready for use when needed.

Stephen Bonner

Deputy Commissioner – Regulatory Supervision, U.K. Information Commissioner’s Office (ICO)

People need to be assured their information will be kept safe so they can participate in society, including having the confidence to share their data to access services and use products.

Our security incident trend data, which we have contributed to this report, shows cyber threats not only continue to exist but increase year on year. It is important to remember that there is no single solution to security, but organizations can improve their cybersecurity through our guidance and tools to better protect people’s information.

We are also encouraging organizations to be transparent when a cyber incident happens, seeking early support and sharing information so the cyber threat landscape is improved for everyone. The ICO will soon publish a review of past security incidents to help organizations continue to improve their cyber resilience.

49 Especially bad actions. Benevolent ones often go unnoticed.

50 Threat actors should also be sent to bed without TV if they misbehave.




Call Sales

Have us contact you
Request a call

Call for Public Sector