2017 Data Breach Investigations Reportth Edition OFX PB U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA Incidents vs breaches We talk a lot about incidents and breaches and we use the following definitions:
Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. In the 2009 report, we wrote:
“These findings relate specifically to the occurrence (likelihood) of security breaches leading to data compromise … not attacks, not impact, not general security incidents and not risk.” The study has since evolved to include security incidents and not just breaches for many findings, but the rest of the statement holds true to this day. The information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzle—an awesome corner piece that can get you started—but just a piece nonetheless. The rest is filled in by you. You (hopefully) know the controls that you do or do not currently have to mitigate the effectiveness of the threat actions most commonly taken against your industry. You know the assets that store sensitive data and the data flow within your environment. If you don’t – get on that. You also know your own incident and data-loss history. Use your own knowledge combined with the data from our report; they complement each other. First-time reader Don’t be shy—welcome to the party. As always, this report is comprised of real-world data breaches and security incidents—either investigated by us or provided by one of our outstanding data contributors. The statements you will read in the pages that follow are data-driven, either by the incident corpus that is the foundation of this publication, or by non-incident datasets contributed by several security vendors. We combat bias by utilizing these types of data as opposed to surveys, and collecting similar data from multiple sources. We use analysis of non-incident datasets to enrich and support our incident and breach findings. Alas, as with any security report, some level of bias does remain, which we discuss in Appendix D. Tips on Getting the Most from This Report 1 verizonenterprise/verizon-insights-lab/data-breach-digest/2017/ Cybercrime case studies This report doesn’t focus on individual events—if you want to dive deeper into breach scenarios check out the cybercrime case studies collected in the Verizon Data Breach Digest1. This is a collection of narratives based on real-world investigations and from the perspective of different stakeholders involved in breach response. 60300Kcal Data Breach Dige st 60 Perspective is Reality. Read now VERIS resources VERIS is free to use and we encourage people to integrate it into their existing incident response reporting, or at least kick the tires. veriscommunity features information on the framework with examples and enumeration listings. github/vz-risk/veris features the full VERIS schema. github/vz-risk/vcdb provides access to our database on publicly disclosed breaches, the VERIS Community Database. ii Contents Introduction 2 Executive Summary 3 Breach Trends 4 Introduction to Industries 9 Accommodation and Food Services 14 Educational Services 17 Financial and Insurance 19 Healthcare 22 Information 24 Manufacturing 26 Public Administration 2 8Retail 30 Attack the Humans!32 Ransom Notes are the Most Profitable Form of Writing 35 Introduction to Incident Classification Patterns 3 8Crimeware 39 Cyber-Espionage 42 Denial of Service 44 Insider and Privilege Misuse 4 8Miscellaneous Errors 50 Payment Card Skimmers 52 Point of Sale Intrusions 54 Physical Theft and Loss 56 Web Application Attacks 57 Everything Else 59 Wrap Up 60 Appendix A: Countering an Evolving Transnational Cybercrime Threat 62 Appendix B: The Patch Process Leftovers 64 Appendix C: Year in Review 67 Appendix D: Methodology 69 Appendix E: Contributing Organizations 72 2017 Data Breach Investigations ReportWelcome to the 10th anniversary of the Data Breach Investigations Report (DBIR). We sincerely thank you for once again taking time to dig into our InfoSec coddiwomple that has now culminated in a decade of nefarious deeds and malicious mayhem in the security world.2016 was an extremely tumultuous year, both in the United States and abroad. Political events, such as a divisive presidential election and the United Kingdom European Union membership referendum (aka Brexit), raised many a blood pressure reading, while memes focused on getting through the year without the loss of another beloved celebrity flooded social media. Despite the tumult and clamor, cybercrime refused to take a year off, and added to the feelings of uncertainty with numerous breaches being disclosed to the public—thereby debunking the “no such thing as bad publicity” myth. Why the “hope” quote you ask Isn’t this report about doom and gloom and when things go wrong with real-world consequences There is no doubt that you can view this report, throw up your arms in despair, and label us (the risk management and information security community) as “losing.” All of us (authors, analysts and readers alike) must take a realistic approach to this and similar reports by our peers and acknowledge that we can do better. Yet we do firmly believe there is great cause for hope. It is true that the DBIR will never be blank as—choose your cliché—“there is no such thing as 100% secure” or “perfection is the enemy of good enough”. It is also true that due to the nature of the report we admittedly have a lack of success stories. After all, this is at its core a report about confirmed data breaches. However, we are aware that there are numerous success stories out there—it is not all bad news for the good guys. Our hope comes from the fact that we have been able to present these findings to the public for 10 years running. Our hope comes from how we have grown this publication from only one organization to include contributions from 65 sources, providing a solid corpus sample of security incidents and data breaches from which to learn. Our hope is that while this report will not be able to definitively answer the macro-level question of “are we getting better” you the readers, can leverage the combined efforts (thank you again data contributors!). Use the results of this study as a platform to improve your organization’s awareness of tactics used by the adversary, to understand what threats are most relevant to you and your industry, and as a tool to evangelize and garner support for your information security initiatives. So what is new in the 2017 publication One of our favorite evolutions in the DBIR series was the definition of nine incident classification patterns and the ability to map them against industry. We felt, and still feel, that it was a boost that made the DBIR more actionable. The report goes one step further this year and includes sections that are specific to key industries. These sections dive deeper into who targets specific verticals, how they go about reaching their goal and discuss why particular industries are in the crosshairs of certain threat actors. We examine what is unique about each industry and how that influences the results we find in our dataset. It is our hope (there’s that word again) that these industry sections will resonate with the security professionals and will provide a lens into our data that is beneficial to you personally. So the report will follow this path: It starts off with an executive summary comprised of high-level findings in this year’s data. As in other reports, we will then look back into history and discuss what has (and hasn’t) changed over the years. Next, we will hop to