2022 Data Breach Investigations Report
Geographics
Countries Represented in Combined DBIR Caseload
Year
Patterns by Region
Region
Breach Trends
Breaches Over Time
Show
Measure
Breach trends is a retrospective look over the last several years at various components of data breaches. Specifically, the threat actors involved and the actions they leveraged, along with the assets that were impacted, and the corresponding attributes compromised.
| Multiple | Partner | Internal | External | ||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Embedded | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Kiosk/Term | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Media | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Network | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Person | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | Server | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
| Availability | |||||||||||||||||||||||||||||
| Integrity | User Device | ||||||||||||||||||||||||||||
| Confidentiality | |||||||||||||||||||||||||||||
Environmental | Error | Misuse | Physical | Social | Hacking | Malware | Environmental | Error | Misuse | Physical | Social | Hacking | Malware | Environmental | Error | Misuse | Physical | Social | Hacking | Malware | Environmental | Error | Misuse | Physical | Social | Hacking | Malware | ||
Show
Year
Actions
Discovery Methods Used Over Time
How a breach is discovered has a significant effect on its overall impact. External detection is usually a ‘lock the barn doors after the horses have left’ scenario. For internal detection, while the barn doors might be open, the horses may actually still be inside.
Show
Filter
Most Used
Least Used
Motive Breakdown By Action Subcategory
Show
Actors behave differently depending on their motivation. Understanding the factors that motivate the actors helps to determine the actions associated with them, and that knowledge can help you better tune your defenses.
Espionage
Financial
Fun, ideology, or grudge
Year
Breach events
Response Time For Breach Events
Measure
While we cannot determine how much time is spent in intelligence gathering or other adversary preparations, the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes. The discovery time is likelier to be weeks or months. The discovery time is also very dependent on the type of attack, with payment card compromises often discovered based on the fraudulent use of the stolen data (typically weeks or months) as opposed to a stolen laptop which is discovered when the victim realizes they have been burglarized.
Let’s get the obvious and infeasible goal of “Don’t get compromised” out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key. We do not have a lot of data around time to exfiltration, but improvements in that metric, combined with time to discovery can result in the prevention of a high-impact confirmed data breach.
compromise
Events
exfiltration
Events
discovery
Events
containment
Events
Year
Breach Paths
Data Types
Breaches By Data Type Over Time
Measure
If a breach is defined as an incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorized party, then a variety of data types must be involved. Understanding what varieties are being breached can give us insights of what type data we most need to protect in our own organization.
Patterns
Pattern Breakdown
Show
Since the 2014 report, a series of nine patterns have been used to categorize security incidents and data breaches that share similar characteristics. This was done in an effort to communicate that the majority of incidents/breaches, even targeted, sophisticated attacks, generally share enough commonalities to categorize them, and study how often each pattern is found in a particular industry's dataset. This year, 94% of security incidents and 90% of data breaches continue to find a home within one of the original nine patterns.
Year
Explore Patterns
Basic Web Application Attacks
900
breaches
4,002
incidents
Denial of Service
4
breaches
6,962
incidents
Everything Else
6
breaches
6
incidents
Lost and Stolen Assets
61
breaches
707
incidents
Miscellaneous Errors
522
breaches
528
incidents
Privilege Misuse
137
breaches
173
incidents
Social Engineering
824
breaches
1,623
incidents
System Intrusion
1,545
breaches
3,526
incidents
Industries
Industry Breakdown by Organization Size
Show
Organization Size
Year
Patterns by Organization Size
Organization Size
Explore Industries
Accommodation and Food Services
69
breaches
156
incidents
Construction
57
breaches
127
incidents
Education
282
breaches
1,241
incidents
Entertainment
96
breaches
215
incidents
Financial and Insurance
690
breaches
2,527
incidents
Healthcare
571
breaches
849
incidents
Information
378
breaches
2,561
incidents
Manufacturing
338
breaches
2,337
incidents
Mining
132
breaches
231
incidents
Other Services
101
breaches
180
incidents
Professional Services
681
breaches
3,566
incidents
Public Administration
537
breaches
2,792
incidents
Real Estate
76
breaches
118
incidents
Retail
241
breaches
629
incidents
Transportation
137
breaches
305
incidents
Utilities
47
breaches
172
incidents