Stats & Trends
Jonathan Crowe
Apr 2018

5-Minute Highlights from Verizon's 2018 Data Breach Investigations Report


Photo by Lukas

Haven't had time to dig into Verizon's 2018 DBIR yet? Here are some key highlights you shouldn't miss.

Every year, the incident response team at Verizon Enterprise Solutions releases their highly-anticipated Data Breach Investigations Report (DBIR), providing a wealth of data on real-world security incidents, data breaches, and the trends driving both. 

You can find this year's complete 68-page report here, but in case you're short on time, here are some of the top highlights and takeaways you can dig into right away.  

Who is getting breached?

58 percent of data breach victims are small businesses

Despite security being a growing priority for organizations of all sizes, it's still unfortunately something that often breaks down into categories of haves and have-nots. According to this year's DBIR, the have-nots are getting breached significantly more often than their larger counterparts. 

Healthcare organizations account for nearly a fourth of all data breaches

As in previous years, the 2018 DBIR also segments data breaches by industry. Below you'll find a chart that reveals which industries are being breached most often. Note: To keep things concise, we've limited this list to industries with at least 100 breaches investigated by Verizon's team.  

The top five industries suffering the most breaches are:

  1. Healthcare
  2. Accomodation
  3. Public
  4. Retail
  5. Finance

What data is being compromised?

The following are the three most common types of data compromised during the breaches Verizon's team investigated:

  1. Personally identifiable information (PII) — 36 percent of breaches
  2. Payment card info — 34 percent of breaches
  3. Banking info — 13 percent of breaches

Industry-specific stats, at a glance


  • Healthcare suffered more breaches than any other industry, accounting for 24 percent of the breaches investigated, total.
  • Perhaps as a result, PII is the most common type of data compromised.
  • Ransomware hits healthcare organizations particularly hard, accounting for 85 percent of all data breaches involving malware. It should be noted, however, that healthcare is one of the only industries obligated to report ransomware infections as data breaches due to regulations. 


  • The most prevalent cause of data breaches in education are W2 scams
  • Attackers that compromise education networks like to set up shop and poke around — 44 percent of education breaches involved the use of backdoors and stolen credentials. 

Public administration

  • 74 percent of breaches in the public sector are initiated by phishing emails. 
  • Once attackers have access, they take steps to keep it. 61 percent of breaches involved the use of a backdoor or C2. 
  • Espionage is a common goal of breaches in the public sector — 35 percent involved the use of spyware/keyloggers, and 20 percent involved the use of password dumpers. 


  • Banking trojans are far and away the most prevalent threat in the finance sector, with denial of service attacks also being very common.
  • ATMs also continue to be a top target, with attackers installing payment card skimmers or conducting ATM jackpotting attacks.  


  • Espionage is also the most common goal in manufacturing breaches, with the theft of intellectual property being the motivation behind 47 percent of breaches. 

What are the latest malware trends? 

At least 37 percent of malware hashes appear only once

The Verizon investigators once again confirmed that most cyber criminals treat malware as single-use, immediately ditching samples once they've seen the light of day in a campaign and replacing them with slightly altered versions in order to evade signature-matching antivirus detection. According to this year's DBIR, at least 37 percent of malware hashes appear only once, and as Verizon notes, that's "being extremely conservative with the data — it's rather likely you won't see a much higher percentage ever again."

To use an analogy, AV vendors are essentially left hanging up "Wanted" posters of outlaws who will never show their faces in these parts again. Meanwhile, a new posse is hitting up the bank. (Or, if you'd prefer a different analogy, see our blog post, "The Problem with Signature-Based Security: How Long is Your Pit Stop?")

Malware use is down 21 percent from last year

Malware was put to use in 30 percent of the data breaches Verizon's team investigated. That's down from 51 percent of the breaches analyzed in the 2017 DBIR. That's a significant drop, and it's in line with a major trend we've been tracking, too — more and more attackers appear to be moving away from using traditional malware in favor of adopting more evasive, fileless techniques

In fact, according to the Ponemon Institute, 77 percent of successful compromises in 2017 utilized fileless techniques and exploits. 

49 percent of malware was installed via email

When malware is used, it's most often delivered via email. More on the effectiveness of malicious emails in the phishing section below. 

39 percent of malware incidents were ransomware infections

If you've seen any other headlines about this year's DBIR, you may picked up on a common theme. The majority suggest that the growth of ransomware is this year's BIG STORY. There's a slight issue with that. 

While it's true that Verizon's team did determine ransomware was the most prevalent type of malware involved in the security incidents they investigated, it's important to keep in mind that finding reflects what they saw in 2017, not what they're seeing now. 

Three months may not be a long time in other areas, but in the world of malware, a lot can change. Other sources such as Malwarebytes report that ransomware use has plunged in early 2018, replaced by cryptomining malware as the top payload of choice. That's not to say ransomware isn't still a very serious threat, it's just that when you're looking at annual reports it's important to keep in mind some of the findings may be dated by the time the report is released. 


What's new in phishing? 

Phishing vs. Pretexting

Before we get into the phishing-related findings from this year's report, one thing to make note of is Verizon's attempt to distinguish between what they're calling "phishing" (an attempt to get a victim to click on something in an email in order to gain a foothold) and what they're calling "pretexting" (an attempt to acquire information directly from the victim — ex: a business email compromise attack). 

That second term is one I hadn't seen before, and it'll be interesting to see if it catches on.

Verizon's team estimated that, of the breaches they investigated featuring a social engineering component, 70 percent involved phishing and 20 percent involved pretexting. 

The industries that suffered the most breaches attributed to phishing or pretexting were:

  1. Public
  2. Healthcare
  3. Education

The average time it took for the first victim to click on a phishing campaign was 16 minutes. Meanwhile, it took 33 minutes on average for a user to report a phishing campaign to IT, meaning reports will often come too late to prevent the first infection. To make matters more difficult, the vast majority of users don't report phishing attempts at all. Encouraging users to do so and do so quickly should be an active goal of any security awareness training initiatives. 

Looking for more insight on the latest security trends?

Find out how malware is evolving so you can be better prepared to block it. Download Barkly's 2018 Malware Trends Forecast.  


Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.