27k unique visitors in the last 3 days

4 Takeaways from the Verizon Data Breach Investigations Report 2024

The DBIR team reviewed 10,000 breaches for this year's publication.

Each year a team of researchers wades through an awesome amount of information to summarize trends in data breaches for the Verizon Data Breach Investigations Report (DBIR). Their 2024 report covers a mind-boggling 10,000 breaches, which is a measure of the sophistication of the team’s work as well as the scale of the problem they are analyzing. The report is packed full of information, and it never fails to amuse thanks to many comic asides in the footnotes. Here are just four takeaways from the report.

1. People Cause Breaches, but Mostly by Mistake

The temptation to protect data by exclusively focusing on technology has always been flawed, and no statistic better demonstrates this than 68 percent of breaches involving a human element. Despite the media fascination with hackers and malicious activities, a whopping 28 percent of breaches are due to errors made by people. The DBIR authors believe even this statistic understates the reality of how often errors cause breaches; long-serving telecoms assurance professionals will not struggle to understand why people tend to cover up the consequences of their own mistakes. Per the report authors, errors are “more prevalent than media or traditional incident response-driven bias would lead us to believe”.

Internal actors were the main catalyst for 35 percent of breaches, a significant rise on the 20 percent reported last year. Of the breaches where internal actors were responsible, 73 percent fit a pattern consistent with unintentional errors.

2. Suppliers Cause Breaches, but Who Chose the Supplier?

The DBIR team introduced a new metric this year that relates to cases where an organization has been breached because of the failings of its suppliers. ‘Supply chain interconnection’ affected 15 percent of breaches per this year’s report. This concept covers breaches where a business partner was the vector of entry for a breach, or because data was taken from a third-party data processor or custodian.

Being the vector of entry can mean hijacking software updates, as occurred when data-stealing malware was inserted into 3CX VoIP phone systems. AT&T should be familiar with suppliers with lax security surrounding their systems because they have routinely blamed business partners for allowing AT&T customer data to be compromised. Verizon’s DBIR team astutely observes why blaming others is not really an excuse, especially when it happens repeatedly:

We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain.

3. GenAI Has Had More Influence on Hypers than Hackers

The DBIR team used text analysis of online criminal forums to assess how often terms relating to generative AI were used in conjunction with more traditional terms associated with cybersecurity attacks. They struggled to find just a hundred mentions of GenAI being used to undermine security during the last two years. This contrasts with a huge rise in the amount of chatter about GenAI more generally, as their graph clearly illustrates:

Or to put it another way, the DBIR authors warned not to pay too much attention to…

…”a vocal minority of the cybersecurity community” (aka “unhinged marketing hype”) [that] has been suggesting artificial general intelligence will profoundly influence the threat landscape.

4. Email Is Still the Phisher King (for Breaches)

The social engineering section of the report amusingly refers to “whaling, smishing, quishing, tishing, vishing, wishing, pharming, [and] snowshoeing” before admitting one of these terms was made up. The information the DBIR team reviewed is once again useful for keeping the relative scale of different threats in perspective. The telecoms industry is acutely aware of the growth of scam techniques like smishing, with Commsrisk highlighting the trend of smishers using portable radio SMS blasters that connect directly to the victim’s phone instead of relying upon a genuine network. However, when it comes to actual breaches that resulted from social engineering, the extent to which email dominates is made very clear by another graph from this year’s report.

This does not mean we should be complacent about smishing, vishing, and all the other forms of phishing that rely on comms channels provided by telcos. Gaining access to a company’s data by obtaining knowledge of an IT administrator’s logon credentials can more obviously be accomplished using a spearphishing email, whilst a comms channel like SMS is better suited to sending thousands of copies of a message that is designed to deceive any member of the public into revealing details about themselves. The focus of the DBIR report on breaches will inevitably mean their data will be oriented towards criminal methods that target organizations rather than individuals. Both organizations and individuals can fall victim to phishing but different comms channels will be better suited to reaching one or the other group.

Anyone interested in protecting data should make time to go through this year’s Verizon Data Breach Investigations Report in full. It can be downloaded free of charge but requires registration; you can obtain a copy from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email