Verizon's 2017 Data Breach Digest: Data Breaches Becoming More Complex, Pervasive and Damaging

Staff Report

Wednesday, March 8th, 2017

Data breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organization. Each breach leaves a lingering, if not lasting imprint on an enterprise, finds the 2017 Data Breach Digest.

As we found in the Verizon 2016 Data Breach Investigations Report, the human element is again front and center this year. Humans continue to play a significant role in data breaches and cybersecurity incidents, fulfilling the roles of threat actors, targeted victims and incident response stakeholders.

Now in its second edition, Verizon's Data Breach Digest details 16 common breach scenarios, inviting the reader to take a behind-the-scenes look at cyber investigations that tell the stories behind the company's annual Data Breach Investigations Report. The cases are each told from the perspective of the various stakeholders involved, such as corporate communications, legal counsel, or the human resources professional.

"Data breaches are growing in complexity and sophistication," said Bryan Sartin, executive director, the RISK Team, Verizon Enterprise Solutions. "In working with victim organizations, we find that breaches touch every part of an organization up to and including its board of directors. Companies need to be prepared to handle data breaches before they actually happen in order to recover as quickly as possible. Otherwise, breaches can lead to enterprise-wide damage that can have devastating and long-lasting consequences such as a loss of customer confidence or a drop in stock price." 

"The Data Breach Digest is designed to help businesses and government organizations understand how to identify signs of a data breach, important sources of evidence and ways to quickly investigate, contain and recover from a breach," added Sartin.

2017 Data Breach Digest scenarios based on type, industry, incident pattern and stakeholder involvement

The report once again confirms that there is a finite set of scenarios that occur with data breaches but many permutations occur within each, leading to an expansive range of damage that can be observed in the aftermath of a data breach. Breaches in the Digest are defined by type of breach, industry, one of nine DBIR incident patterns, and by stakeholder involvement.

This year's 16 data breach scenarios are also classified according to their prevalence and lethality in the field. Ten of the cases represent more than 60 percent of the 1,400 cases investigated by Verizon's Research, Investigations, Solutions and Knowledge Team over the past three years, while the other six are less common but considered lethal or highly damaging to an organization.  

For each scenario, you go through a detailed analysis of how the attack occurred, level of sophistication, threat actors involved, tactics and techniques used and recommended countermeasures. Content is derived from the RISK Team caseload and categorized according to the standardized VERIS (Vocabulary for Event Recording and Incident Sharing) Framework used to compile the DBIR.  

The report groups the 16 scenarios into four different types of breaches and gives each a personality, including these select examples:

  • The human element

    • Partner misuse – The Indignant Mole  

    • Disgruntled employee  – The Absolute Zero   

  • Conduit devices

    • Mobile assault  – The Secret Squirrel  

    • IoT calamity – The Panda Monium

  • Configuration exploitation

    • Cloud storming – The Acumulus Datum  

    • DDoS attack – The 12000 Monkeyz

  • Malicious software

    • Crypto Malware – The Fetid Cheez

    • Unknown unknowns – The Polar Vortex

This year's report points to five actions an organization should take in the aftermath of a breach:

  • Preserve evidence; consider consequences of every action taken

  • Be flexible; adapt to evolving situations

  • Establish consistent methods for communication

  • Know your limitations; collaborate with other key stakeholders

  • Document actions and findings; be prepared to explain them.

Verizon's Data Breach Digest series

To preserve anonymity, Verizon has modified/excluded certain details of each real-world situation including changing names, geographic locations, quantity of records stolen and monetary loss details. Everything else has been imported straight from Verizon's case files.

The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies across the globe. In 2016, the RISK team investigated more than 500 cybersecurity incidents in more than 40 countries.  In 2008, the results of this team's field investigations were the genesis of the first Data Breach Investigations Report, an annual publication that dissects real-world data breaches with the goal of enlightening the public about the nature of threat actors behind the attacks, the methods they use, including the data they seek and the victims they target.