Verizon Data Breach Investigations Report 2016

It’s that time of the year again!

Verizon released its Data Breach Investigations Report for 2016.  For those of you not familiar with the report, Verizon collects and analyzes data from real world security incidents and breaches.  The current report analyzes over 100,000 incidents that occurred in 2015.  It is in no way all inclusive; however, it is one of the more reputable analysis reports that utilizes a healthy sample of incident and breach data to accurately portray the cyber incident landscape.

While the report does not disclose mind-blowing secrets, it does provide us with wonderful statistics to support what we already know.  Incidents and breaches are occurring at an exponentially increasing rate.  Highlights from this year’s report can be found here, but first let me highlight my favorite quote from the entire report.

“Don’t get us wrong—passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”


Watch out financial institutions, they’re coming after you.  However, no one should have his or her guard down as “No locale, industry or organization is bulletproof when it comes to the compromise of data.”

The following table shows the number of security incidents with confirmed data loss by victim industry and organization size.  The Accommodation and Finance industries topped the list.

Industries with data breaches


Attacks are coming from the outside (over 80% of attacks), not from within.

89% of breaches had a financial or espionage motive; the majority had financial motive.

Hacking and malware were the primary methods and social tactics was a distant third. 

Servers are no longer the weakest link.  Mobile devices and people are the main points of failure as evidenced by the increase in incidents involving users and devices.


  • In 9% of incidents, the compromise only took a matter of minutes.
  • In 8% of data breaches, exfiltration only took a matter of days.


  • Law enforcement and fraud detection are the primary sources for discovery.
  • Internal discovery is dead last.


SPECIAL EMPHASIS: Vulnerabilities

  • Key Finding: “Older vulnerabilities are still heavily targeted; a methodical patch approach that emphasizes consistency and coverage is more important than expedient patching.”
  • Approximately 50% of exploitations occur between 10 – 100 days after the vulnerability is published.
  • Vulnerabilities older than a year are still getting exploited! 
  • 85% of exploited vulnerabilities are due to 10 vulnerabilities.


SPECIAL EMPHASIS: Phishing & Credentials

  • 13% of people tested clicked on a phishing attachment
  • Objective of the majority of phishing attempts is to deliver persistent malware
  • >90% of the top five data varieties breached by phishing attacks were to obtain credentials
  • 63% of data breaches were the result of either weak, default or stolen passwords



  • Over 90% of breaches could fall under 9 categories (no change since 2014)
    • Web App Attacks
    • Point-of-Sale Intrusions
    • Insider and Privilege Misuse
    • Miscellaneous Errors
    • Physical Theft and Loss
    • Crimeware
    • Payment Card Skimmers
    • Cyber-espionage
    • Denial-of-Service Attacks
  • For data breaches, web attacks dramatically increased and cyber-espionage and crimeware realized a decrease.  
    Sidenote: crimeware will likely skyrocket in next year’s report due to all of the ransomware incidents of 2016.
  • Median documented record loss: PCI breaches > PHI or PII breaches
  • Majority of funds are spent on legal and forensics investigations

2015 Incidents

Verizon DBIR


  1. Patch everything.
  2. Phishing is still a major problem, so train, train, train and beware of your inbox.
  3. Credentials are desired by criminals, so make sure your critical public facing systems are protected with multi-factor authentication.