Verizon 2016 Data Breach Investigation Report

Well here we are again, and it is time to take the annual journey into our collection of real-world data breaches and information security incidents from the prior year. We have published this report nine times and we truly appreciate
you spending your valuable time with us, whether you have been with us since our humble, pie-chart-centric beginnings or if this is your first read. We would be remiss if we did not begin by acknowledging the organizations that contributed data (and time) to this publication. Simply stated, we thank you for helping to make this possible. For a full list of contributors, mosey over to Appendix B. The incident data is the workhorse of this report and is used to build out all the information within the Breach Trends and Incident Classification Patterns
sections. We use non-incident security data to paint a fuller picture in the
patterns as well as in stand-alone research. Any opportunity to take several
organizations’ data and combine them for a research topic was pursued. The
Gestalt principles in action!
The nine incident classification patterns we identified back in the 2014 report
still reign supreme. And while there are no drastic shifts that have established
a show-stopping talking point when looking at the patterns as a whole, we have
searched for interesting tidbits in the actions that comprise them.
This year’s dataset is made up of over 100,000 incidents, of which 3,141 were
confirmed data breaches. Of these, 64,199 incidents and 2,260 breaches
comprise the finalized dataset that was used in the analysis and figures
throughout the report. We address the reasons for culling the dataset in
Victim Demographics and provide additional details when we discuss motives
in Breach Trends. Of course, we would never suggest that every last security
event of 2015 is in this report. We acknowledge sample bias, and provide
information about our methodology as well as links to resources that we
encourage you to look into to help collect and analyze incident data within your
own organization, in Appendix E.
We will also acknowledge what isn’t in this report. For those looking for
proclamations about this being the year that mobile attacks bring us to
our knees or that the Internet of Things (IoT) is coming to kill us all, you will
be disappointed. We still do not have significant real-world data on these