DBIR Data Breach Investigations Report 2008 2022 About the 2022 cover Our long-time readers may recall that the cover for our inaugural report back in 2008 depicted an empty chair in a server room. It was intended to convey the fact that many organizations are not properly minding their assets and data. The 2022 cover is a throwback to that report both for purposes of nostalgia and to convey that many organizations continue to struggle with keeping an eye on their people and their systems. The overlay of the timeline with the dot plot illustrates the number of global contributors that have joined us over the 15-year history of the report (broken out by year). Table of contents 1 4 6 4 Industries49 Wrap-up87 Introduction6 Introduction50 Year in review Summary of findings Accommodation and Food Services 53 Arts, Entertainment and Recreation 55 Educational Services 57 7 Financial and Insurance 59 Appendices92 DBIR Master’s Guide 7 2 Results and Analysis 9 89 Healthcare61 Introduction10 Appendix A: Methodology 93 Information63 Actor11 Appendix B: VERIS and Standards 96 Manufacturing65 Actions14 Appendix C: Changing Behavior 98 Mining, Quarrying, and Oil & Gas Extraction + Utilities 67 Appendix D: U.S. Secret Service 100 Professional, Scientific and Technical Services Appendix E: Ransomware Pays 102 69 Assets17 Attribute18 Timeline20 Very Small Business 22 Introduction23 System Intrusion 25 Scratching the Surface 31 Social Engineering 33 Basic Web Application Attacks 36 Miscellaneous Errors 39 Denial of Service 41 Lost and Stolen Assets 43 Organic Free-Range Data 45 2022 DBIR Table of contents 71 Retail73 3 Incident Classification Patterns Public Administration Appendix F: Contributing Organizations104 75 5 Regions 77 Introduction78 Asia Pacific (APAC) 80 Europe, Middle East and Africa (EMEA) 81 Northern America (NA) 83 Latin America and the Caribbean 85 3 01 DBIR Master’s Guide Hello, and welcome first-time readers! Before you get started on the 2022 Data Breach Investigations Report (DBIR), it might be a good idea to take a look at this section first. (For those of you who are familiar with the report, please feel free to jump over to the introduction). We have been doing this report for a while now, and we appreciate that the verbiage we use can be a bit obtuse at times. We use very deliberate naming conventions, terms and definitions and spend a lot of time making sure we are consistent throughout the report. Hopefully this section will help make all of those more familiar. VERIS resources The terms “threat actions,” “threat actors” and “varieties” will be referenced often. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here is how they should be interpreted: Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket. Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error and Environmental. Examples at a high level are hacking a server, installing malware, or influencing human behavior through a social attack. Variety: More specific enumerations of higher-level categories—e.g., classifying the external “bad guy” as an organized criminal group or recording a hacking action as SQL injection or brute force. Learn more here: • github.com/vz-risk/dbir/tree/gh-pages/2022 – DBIR facts, figures and figure data. Incident vs. breach We talk a lot about incidents and breaches and we use the following definitions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. Industry labels We align with the North American Industry Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses two- to six-digit codes to classify businesses and organizations. Our analysis is typically done at the two-digit level and we will specify NAICS codes along with an industry label. For example, a chart with