2
First-time reader
Don’t be shy—welcome to the party. As always, this report
is comprised of real-world data breaches and security
incidents—either investigated by us or provided by one of our
outstanding data contributors.
The statements you will read in the pages that follow are data-
driven, either by the incident corpus that is the foundation of
this publication, or by non-incident datasets contributed by
several security vendors.
We combat bias by utilizing these types of data as opposed to
surveys, and collecting similar data from multiple sources. We
use analysis of non-incident datasets to enrich and support
our incident and breach fndings. Alas, as with any security
report, some level of bias does remain, which we discuss in
Appendix E.
Incidents vs. breaches
We talk a lot about incidents and breaches and we use
the following defnitions:
Incident
A security event that compromises the integrity,
confdentiality or availability of an information asset.
Breach
An incident that results in the confrmed disclosure—
not just potential exposure—of data to an
unauthorized party.
VERIS resources
The Vocabulary for Event Recording and Incident
Sharing (VERIS) is free to use and we encourage people
to integrate it into their existing incident response
reporting, or at least kick the tires.
veriscommunity features information on the
framework with examples and enumeration listings.
github/vz-risk/veris features the full VERIS schema.
github/vz-risk/vcdb provides access to our
database on publicly disclosed breaches, the VERIS
Community Database.
About the cover
The arc diagram on the cover is based on the data
in Appendix C: Beaten paths. It illustrates the actors,
actions, and attributes as nodes; and the order of their
occurrence in attack paths as edges—see the callout
on page 54 for more information. We've counted how
many times each node occurs in each path and sized
them accordingly—the larger the node, the more times
it appeared. The edges between nodes are represented
as arcs between points. The color of each arc is based
on how often an attack proceeds from one node to
the next.Contents
First-time reader ........2
Introduction ..4
Summary of fndings ......5
Results and analysis ......6
Social attacks: We’re only human ......11
Ransomware, botnets, and other malware insights ...14
Denial of Service: Storm preparations ..19
Incident Classifcation Patterns ........22
Mind your own industry ...25
Accommodation and Food Services ...27
Education ..29
Financial and Insurance ..31
Healthcare ..33
Information .35
Manufacturing ..........37
Professional, Technical and Scientifc Services ......39
Public Administration .....41
Retail .....44
Wrap up ....47
Appendices .48
Appendix A: Countering cybersecurity threats .....49
Appendix B: Feeling vulnerable ......50
Appendix C: Beaten paths 54
Appendix D: Year in review ...........58
Appendix E: Methodology ...........60
Appendix F: Data destruction .........63
Appendix G: Timely and appropriate breach response for better outcomes ....64
Appendix H: Web applications .........65
Appendix I: Contributing organizations 66Introduction
I would give all my fame for a pot of ale, and safety
Henry V: Act 3, Scene 2
A most sincere thank you, dear reader, for joining us for this,
the 11th installment of the Verizon Data Breach Investigations
Report (DBIR). It is difcult to overstate our gratitude to you for
your continued interest in and support of this publication. Over
the last 11 years, there have been various twists and turns,
iterations and additions to the DBIR, but our ultimate goal has
remained the same—to inform you on the threats you face and
to provide support, instruction and encouragement on how
best to protect against them.
This year we have over 53,000 incidents and
2,216 confrmed data breaches.
The report is full of dirty deeds and unscrupulous activities
committed by strangers far away and by those you thought
you knew. It is our continued hope that you can take away
useful and instructive tips from this report to help you avoid
having those things happen to you in 2018.
The quote at the beginning of this section was spoken by
a young boy about to go into battle for the frst time, and
if we are honest, we can all probably identify with him to
some degree. We all crave safety (and perhaps also ale), but
it seems there’s no safety to be had in today’s world. The
reality is that there has never been a world devoid of risk at
any time, but at least in the past no one was bombarded by
incessant negativity (unless their mother in law lived with
them), with rumors of disaster, economic collapse, war and
famine pouring in an unending stream into their lives from
TVs, laptops, tablets and phones. Modernity afords us little
refuge from the onslaught of depressing and distressing media
headlines. What then should we do Unplug everything, stock
up on MREs (meals ready to eat) and move to the mountains
It’s one option, but you’d probably miss things such as indoor
plumbing and air conditioning. Another (and we think, better)
alternative is to accept that while there’s little guarantee of
total safety, there does exist the ability to proactively act to
protect what you value.
At frst glance, it is possible that one could view this report
as describing an information security dystopia since it is
made up of incidents where the bad guys won, but we don’t
think that is the correct way to look at it. Rather than simply
seeing the DBIR as a litany of nefarious events that have been
successfully perpetrated against others and therefore, may
happen to you, think of it more as a recipe for success. If you
want your security program to prosper and mature, defend
against the threats exposed in these pages.
The DBIR was created to provide a place for a security
practitioner to look for data-driven, real-world views on what
commonly befalls companies with regard to cybercrime.
That need to know what is happening and what we can do
to protect ourselves is why the DBIR remains relevant over a
decade later. We hope that as in years past, you will be able
to use this report and the information it contains to increase
your awareness of what tactics attackers are likely to use
against organizations in your industry, as a tool to encourage
executives to support much-needed security initiatives,
and as a way to illustrate to employees the importance
of security and how they can help. As always, this report
would not be possible without the collaboration of our data-
sharing community, so thank you again, contributors. We also
encourage you, the reader, to consider joining forces with us in
the future by providing data that can be added to this corpus
that will help us all to be better informed and thereby better
equipped to keep ourselves out of the headlines.
The report will begin with a few high-level trends and fndings
from this year’s data. Next, we will take a look at problems such
as malware (with a focus on ransomware), Denial of Service
(DoS) attacks and the social engineering aspect of cybercrime,
and how they continue to plague us. From there we will take a
brief look at the nine incident classifcation patterns (yes, they
still cover the vast majority of both incidents and breaches), and
then we will dig deeper into the various industries that we have
sufcient data to examine in detail. We will explore the beauty
that is vulnerability management and dip our toes into analysis
of event chains and the paths taken by the adversary. Finally,
we wrap things up