Reading:
An overview of Verizon’s 2021 Data Breach Investigation Report: An Overall Summary for Industries, Incident Classification Patterns and SMBs.

An overview of Verizon’s 2021 Data Breach Investigation Report: An Overall Summary for Industries, Incident Classification Patterns and SMBs.

July 12, 2021

For adapting to the changing Cyber Threat World, you need to be aware of what is happening around your industry vector and how threat actors are changing their TTPs. Every minute, any industry or SMB can be the target of hackers that will result in thousands of breaches and millions of attacks. Companies are on their toes as to which one will be the victim. Keeping abreast of developments and changes in Cyber Threat World that should be the key objective in order to follow up who is behind these attacks and what is the purpose of these threat actors.

Once again, for the 14th year annually, Verizon has prepared a comprehensive report with cybersecurity data. Almost every year the results are changing dramatically, which shows us to adapt to the changing Cyber Threat World to deploy defenses effectively and efficiently, and prepare our organization’s security budget.

The report is full of data to provide you a whole picture of what is captured in the Cyber Threat World and its consequences. Contrary to big data results/graphics and the length of the report, it is actually fun-to-read and does not let you get bored. But in case you don’t have time to read the whole thing (over 100 pages) and also don’t want to skip straight to your industry – here is our blog post with the key findings.

A quick look into the 2021 DBIR report

Before we dig into the real findings, here are a few things about this year’s report:

● This is the 14th edition of the annual Verizon Data Breach Investigation Report (DBIR).

● The report includes incidents from the end of 2019 to the end of 2020. The whole data is full-pandemic data.

● 79,635 incidents were analyzed but 29,207 incidents met Verizon’s quality standards.

● 5,258 of 29,207 incidents were confirmed data breaches, sampled from 88 countries around the world.

● The data of the report was also supported by 83 contributors.

● Ransomware attacks increased 6 percent, while phishing attacks increased 11 percent.

● Breach simulations found that the median financial impact of a breach was $21,659, with 95 percent of incidents between $826 and $653,587.

● The report presents a tailored analysis of different regions of the world :

○ Asia and Pacific (APAC)

○ Europe Middle East and Africa (EMEA)

○ North America (NA)

Unlike last year, Latin America and the Caribbean (LAC) region was not represented.

● There are two extensive parts of the report consisting of incidents and data breach analysis of 11 different industries and incident classification patterns.

● A little part for the deep dive into small and medium-sized businesses (SMBs) on frequency (incident-data breaches), top patterns, threat actors and actor motives are to give an opinion for deciding best practices.

1. Key Findings from each Pattern in the 2021 DBIR Report.

The model of Incident Classification Patterns which was introduced in 2014, was updated by Verizon in this year because of the changes of Cyber Threat Landscape. The new patterns respond to complex interaction rules better than the old ones. In addition to that, it is more focused on what is happening during the breach.


a. Social Engineering

Social attacks have continued to rise since 2017. These attacks increased by 12 (%22 to %34)in social engineering attacks resulting in data breaches. External parties are the key factor to get in touch with over 80 percent of breaches. Business Email Compromise (BEC) violations have doubled since last year. One of the most valuable TTPs is Web-based email. The Click rates of Phishing templates were changed from no clicks to over 50% click-through rates. For instance, 1,148 people who received real and fake phishing, none of them clicked on fake phishing, but 2.5% clicked on real phishing email.

b. Basic Web Application Attacks

The Basic Web Application Attacks model is redesigned to catch web application-driven bugs, social engineering, and system intrusions. The attacks were largely aimed at cloud-based servers that were hacked through the use of stolen credentials or brute-force attacks. Ninety-five percent of organizations exposed to credential stuffing attacks made between 637 and 3.3 billion malicious login attempts during the year. IT sector surpassed Finance sector as the most common target of botnet attacks against customers this year

c. System Intrusion

System Intrusion captures the complex attacks that leverage Malware and/or hacking to achieve their objectives, including deploying ransomware. Creation and deployment of new pattern organizations trying to understand how much to invest in preventing advanced threats. More than in this model, 70% of cases contained malware and 40% involved hacking actions. In addition to that, 95 percent of ransomware cases fall into this pattern.

d. Miscellaneous Errors

Incidents where unintentional actions directly compromised a security attribute of an information asset (Theft was not included in this pattern.). Miscellaneous Errors decreased as a percentage of violations because of an increase in other types of violations. % 52 of cases was Misconfiguration and it was by far the most common form of error. Most of the time, when known, security researchers (80%) were responsible for discovery. Personal data was the most exposed data type in this pattern.

e. Privilege Misuse

Incidents predominantly driven by unapproved or malicious use of legitimate privileges. Abuse of Privileges continues to decline as a percentage of breaches. 70% of violations in this pattern resulted from privilege abuse. More than 30% of events take months or years to be discovered

f. Lost and Stolen Assets

Any incident where an information asset went missing, whether through misplacement or malice. Failure (in the form of loss of an asset) is more common than theft of assets and is the most common way for employees to discover problems as events unfold. Increasingly, people are losing their devices rather than documents or other media.

g. Denial of Service Attacks

Distributed Denial of Service (DDoS) attacks are difficult to predict. Instead, organizations should plan for the percentage of DDoS attacks (50%, 80%, 95% or more) they want to deal with.

h. Everything Else

This last pattern isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. The old Payment Card Skimmer model was added here. There were only 20 slip events (all confirmed violations) in the dataset this year. This year, three of the rare Environmental violations were added and included in this pattern due to their relative rarity. The reclustering of patterns allowed us to account for the additional 18% violations that would otherwise fall into this pattern.

2. Most Common Types of Compromised Data

As in previous years, credentials were at the top of the list of data most often compromised by cybercriminals. Hacking credentials gives criminals the key to access systems and sensitive information. In addition to credentials, personal data is another type of data that cybercriminals particularly target. This type of information is then sold on the dark web or even used for other types of fraud. The most commonly compromised data in security breaches were credentials, personal data, medical data, banking data, and internal data.

3. Key Findings from each Industry.

Organizations, regardless of size or industry, are always at some risk of a cyber-attack. To use security budget efficiently, the key factor is to understand how attacks typically play out in your industry.

a. Accommodation and Food Services

The Accommodation and Food Services industries are almost equally affected by hacking, social and malware attacks. 90% of threat actors were external and more than 86% of their motives were financial. Compromised data consisted of Personal, credentials and payment.

b. Arts, Entertainment and Recreation

The use of stolen credentials, phishing, and ransomware continue to play a major role in this industry. Compromised medical information (from athletic apps) was also seen at unexpectedly high levels. 90% of threat actors were external. The additional 31 % of threat actors were internal. All of the threat actors’ motives were financial. Contrary to the highest incident level, the rate of data breaches is the lowest.

c. Education Services

The education vertical has an unusually high percentage of Social Engineering attacks where pretexting is the variant. These are typically carried out with the goal of inducing a fraudulent transfer of funds. Miscellaneous Errors and System Intrusion are both still enrolled and occupying a full study load. 90% of threat actors were external. The compromised data was personal information, login credentials, and medical records. The motives of the threat actors were almost exclusively financial.

d. Financial and Insurance

Misdelivery accounted for 55% of errors in the financial sector. The financial sector frequently faces credential and ransomware attacks from external actors. Almost all of the threat actors’ motives were financial. %81 of the data breaches consisted of miscellaneous Errors, Basic Web application Attacks and Social Engineering. Almost fifty percent of attacks were internal.

e. Healthcare

As in previous years, this industry is plagued by basic human errors. The most common error continues to be misdelivery (36%), whether of electronic or paper documents. Malicious internal acts, however, dropped out of the top three for the second year in a row. Financially motivated, organized criminal groups continue to target this sector, with the use of ransomware remaining a preferred tactic. Compromised data consisted of personal (66%), medical (55%) and Credentials (32%) .

f. Information

This sector has a pronounced problem with errors, with misconfigurations leading the way. From an incident perspective, DoS attacks made up the vast majority of attacks. For the first time, information overtook the financial sector as the primary target of botnet attacks. %86 of data breaches consisted of miscellaneous errors, basic web application attacks, and system intrusions. Financially motivated threat actors caused data breaches consisting of personal information and credentials.

g. Manufacturing

This industry, like many others, is under attack from Social Engineering. The manufacturing industry also saw a significant increase in ransomware-related security breaches. System Intrusion, Social Engineering and Basic Web Application Attacks account for 82% of data breaches. Compromised data included personal data (66%), credentials (42%), and payment data (19%). The threat actors were financially motivated and %82 of them were external.

h. Mining, Quarrying and Oil & Gas Extraction + Utilities

These industries were affected by Social Engineering attacks this year. Credentials, personal and internal data are the most common types of data lost. Ransomware is also a major threat to these industries. Almost all threat actors were externally and financially motivated.

i. Professional, Scientific and Technical Services

The combination of the System Intrusion and Social Engineering patterns accounts for the majority of cases in this area. The use of stolen credentials is widespread, and employees clearly tend to fall for social tactics. The threat actors were external (74%) and internal (26%).

j. Public Administration

By far the greatest threat in this vector is the social engineer. Actors capable of crafting a credible phishing email are capturing credentials at an alarming rate in this sector. Almost all threat actors were externally and financially motivated. Social Engineering, Miscellaneous Errors and System Intrusion accounted for 92% of security breaches.

k. Retail

Retail continues to be a target for financially motivated criminals who target the combination of payment cards and personal information for which the industry is known. Social tactics include pretexting and phishing, with the former often resulting in fraudulent money transfers. Social Engineering, Miscellaneous Errors and System Intrusion accounted for 77% of data breaches. Almost all of the threat actors were external.


4. SMB deep dive

As Verizon mentioned, the gap between the number of security breaches at small and large organizations has narrowed significantly this year, and the top patterns have also converged. So, it almost did not matter that the size of the organization from the ratio of incidents and breaches perspective. Verizon explained that “one size fits all”. Both are being targeted by financially motivated organized crime actors.



Discover SOCRadar® Free Edition for free

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Try for free