DBIR 2020 Data Breach 2020 Investigations Report 3,950 breaches That is what you are seeing. Each of these squares is organized by the 16 different industries and four world regions we cover in this year’s report. Each square represents roughly one breach (1.04 to be more exact), for a total of 4,675 squares since breaches can be displayed in both their industry and region. We also analyzed a record total of 157,525 incidents, 32,002 of which met our quality standards. The data coverage this year is so comprehensive that it shines through the monochromatic front cover, reinforcing the mission of the DBIR as being a data-driven resource. Turn the page to dig into the findings. Table of contents 01 03 05 DBIR Cheat sheet 4 Industry analysis 40 Regional analysis 86 Introduction 6 Accommodation and Food Northern America (NA) 90 Services (NAICS 72) 46 Summary of findings 7 Europe, Middle East and Africa (EMEA) 94 Arts, Entertainment and Recreation (NAICS 71) 48 Asia Pacific (APAC) 97 Construction (NAICS 23) 50 Latin America and the Caribbean (LAC) 101 02 Educational Services (NAICS 61) 52 Financial and Insurance (NAICS 52) 54 Results and analysis 8 Healthcare (NAICS 62) 56 06 Actors 11 Information (NAICS 51) 59 Actions 13 Manufacturing (NAICS 31–33) 61 Wrap-up 104 Threat action varieties 14 Mining, Quarrying, and Oil & Gas CIS Control recommendations 106 Extraction + Utilities Error 15 Year in review (NAICS 21 + NAICS 22) 64 109 Malware 16 Other Services (NAICS 81) 66 Ransomware 17 Professional, Scientific and Hacking 20 Technical Services (NAICS 54) 68 Social 25 Public Administration (NAICS 92) 71 07 Assets 27 Real Estate and Rental and Appendices 112 Leasing (NAICS 53) 73 Attributes 30 Appendix A: Methodology 114 Retail (NAICS 44–45) 75 How many paths must Appendix B: VERIS Common Attack a breach walk down? 32 Transportation and Framework (VCAF) 118 Warehousing (NAICS 48–49) 78 Timeline 35 Appendix C: Following the money— the key to nabbing the cybercriminal 120 Incident classification patterns and subsets 36 Appendix D: State of Idaho enhances incident response program with VERIS. 122 04 Appendix E: Contributing organizations 124 Does size matter? A deep 80 dive into SMB breaches Table of contents 3 DBIR Cheat sheet Hello and welcome to Variety: More specific enumerations of High Low Medium the 2020 Data Breach higher-level categories, e.g., classifying Industry labels Investigations Report (DBIR)! the external “bad guy” as an organized We align with the North American We have been doing this criminal group or recording a hacking Industry Classification System (NAICS) report for a while now, and we action as SQL injection or brute force. standard to categorize the victim appreciate that all the verbiage organizations in our corpus. The we use can be a bit obtuse at Learn more here: standard uses two- to six-digit codes to times. We use very deliberate classify businesses and organizations. naming conventions, terms • github.com/vz-risk/dbir/tree/gh- Our analysis is typically done at the and definitions and spend a lot pages/2020 includes DBIR facts, two-digit level. We will specify NAICS of time making sure we are figures and figure data. codes along with an industry label. consistent throughout the For example, a chart with a label of • veriscommunity.net features Financial (52) is not indicative of 52 report. Hopefully, this section information on the framework with as a value. “52” is the NAICS code will help make all of those examples and enumeration listings. for the Finance and Insurance sector. more familiar. • github.com/vz-risk/veris features The overall label of “Financial” is 0% 25% 50% 75% 100% 0% 25% 50% 75% 100% 0% 25% 50% 75% 100% the full VERIS schema. used for brevity within the figures. Detailed information on the codes and • github.com/vz-risk/vcdb provides Figure 1. Example dot plots classification system is available here: VERIS resources access to our database on publicly disclosed breaches, the VERIS https://www.census.gov/cgi-bin/ The terms “threat actions,” “threat Community Database. sssd/naics/naicsrch?chart=2012 actors” and “varieties” will be • http://veriscommunity.net/ referenced a lot. These are part of the veris_webapp_min.html allows you Vocabulary for Event Recording and have three different charts, each to record your own incidents and Dotting the charts and Incident Sharing (VERIS), a framework breaches. Don’t fret, it saves any representing common distributions we designed to allow for a consistent, data locally and you only share what crossing the confidence may find in this report. For convenience, Questions? Comments? Still mad unequivocal collection of security you want. Last year, we introduced our now we have colored the first half and the because VERIS uses the term “Hacking”? incident details. Here is how they (in)famous slanted bar charts to show second half differently so it’s easier to should be interpreted: the uncertainty due to sampling bias.1 locate the median. Let us know! Drop us a line at [email protected], find us on One tweak we added this year was to Incident vs breach In the first chart (High), you see that a LinkedIn, tweet @VerizonBusiness with the #dbir. Got a data Threat actor: Who is behind the event? roll up an “Other” aggregation of all the question? Tweet @VZDBIR! This could be the external “bad guy” We talk a lot about incidents and items that do not make the cut on our lot of companies had a very large value3 that launches a phishing campaign breaches and we use the following “Top (whatever)” charts. This will give associated with them. The opposite is or an employee who leaves sensitive definitions: you a better sense of the things we true for the second one (Low), where documents in their seat-back pocket. left out. a large number of the companies had zero or a low value. On the third chart Incident: A security event that Threat action: What tactics (actions) (Medium), we got stuck in the middle compromises the integrity, Not to be outdone this year, our were used to affect an asset? VERIS of the road and all we can say is that confidentiality or availability of an incredible team of data scientists uses seven primary categories of most companies have that middle value. information asset. decided to try dot plots2 to provide a threat actions: Malware, Hacking, better way to show how values Using the Medium chart, we could probably report an average or a median Social, Misuse, Physical, Error and Breach: An incident that results in are distributed. value. For the High and Low ones, an Environmental. Examples at a high level the confirmed disclosure—not just average is statistically undefined and are hacking a server, installing malware potential exposure—of data to an The trick to understanding this chart is the median would be a bit misleading. and influencing human behavior unauthorized party. that the dots represent organizations. through a social attack. So if there are 100 dots (like in each We wouldn’t want to do you like that. chart in Figure 1), each dot represents 1% of organizations. In Figure 1, we 1 Check “New chart, who dis?” in the “A couple of tidbits” section on the inside cover of the 2019 DBIR if you need a refresher on the slanted bar charts. 3 Don’t worry about what the value is here. We made it up to make the charts pretty. And don’t worry later either, we’ll use a real value for the rest of the dot plots. 2 To find out more about dot plots, check out Matthew Kay’s paper: http://www.mjskay.com/papers/chi2018-uncertain-bus-decisions.pdf 4 2020 Data Breach Investigations Report DBIR Cheat sheet 5 Summary Introduction of findings Experience is merely the Here we are at another edition of the process in order to improve how VERIS Figure 2. What tactics are utilized? Figure 3. Who’s behind the breaches? name men gave to their DBIR. This is an exciting time for us connects and interacts with other mistakes. as our little bundle of data turns 13 existing standards. We also aligned this year. That means that the report with the Center for Internet Security 45% of breaches featured Hacking 70% perpetrated by External actors —Oscar Wilde, The is going through a lot of big changes (CIS)4 Critical Security Controls and Picture of Dorian Gray right now, just as we all did at that age. the MITRE ATT&CK®5 framework While some may harbor deeply rooted to improve the types of data we can concerns regarding the number 13 and collect for this report, and to map them 22% included Social attacks Organized criminal groups were behind 55% of breaches its purported associations with mishap, to appropriate controls. misadventure and misfortune, we here on the team continue to do our best to A huge “thank you” is in order to each 22% involved Malware 30% involved internal actors shine the light of data science into the and every one of our 81 contributors dark corners of security superstition representing 81 countries, both those and dispel unfounded beliefs. who participated for the first time in this year’s report, and those tried-and- Errors were causal events in 17% of breaches Only 4% of breaches had four or more attacker actions With that in mind, we are excited to ask true friends who have walked this path you to join us for the report’s coming- with us for many years. This document, of-age party.