Other Services

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank You.

Gracias.

You may now close this message and continue to your article.

  • Resumen

    Financial gain is the highest motive for External actors, with Web Applications being 39% of breaches. Error among employees is another issue for this sector, particularly with regard to Misconfiguration and Misdelivery. While Credentials are a desirable target, it is Personal data that is most frequently stolen here.


    Frequency

    107 incidents, 66 with confirmed data disclosure


    Top Patterns

    Web Applications, Miscellaneous Errors, and Everything Else represent 83% of breaches


    Threat Actors

    External (68%), Internal (33%), Multiple (2%) (breaches)


    Actor Motives

    Financial (60%—98%), Espionage (0%—28%), Convenience/Fear/Fun/Grudge/Other/Secondary (0%—15% each) (breaches)


    Data Compromised 

    Personal (81%), Other (42%), Credentials (36%), Internal (25%) (breaches)


    Top Controls

    Boundary Defense (CSC 12), Implement a Security Awareness and Training Program (CSC 17), Secure Configurations (CSC 5, CSC 11)


    Data Analysis Notes

    Actor Motives are represented by percentage ranges, as only 12 breaches had a known motive. Some charts also do not have enough observations to have their expected value shown.


  • Break on through to the other side

    The Other Services (NAICS 81) industry is also new to the report this year.  This NAICS code is one of several that are surprisingly broad, covering everything from various personal and repair services to non-profit religious and social benefit organizations.  Oddly enough, it even includes a subcode (814) for private households, but those are not represented in this dataset.  For an incident to be eligible for inclusion in the DBIR, there must be a victim organization—since that is where the laws focus, and where the controls are most likely to have good effect. As we have mentioned in the other new sections, while this is the first year we are including this industry in the report, we have data going back a few years on this sector.


    Jockeying for that Top Spot

    The top breach patterns in this industry were Web Applications attacks, Miscellaneous Errors, and Everything Else.  When looking at the incident patterns (not confirmed data breaches), the patterns remain the same, albeit in a different order. 

    The main change from last year’s data for this vertical is the drop in the Cyber-Espionage pattern.  Last year it held the first place slot in the footrace, and you can see from Figure 82 that is has since told the other patterns “go on ahead, I’ll catch up” as it struggles to catch its breath.  Consistent with this change, we’ve seen the variety/motivation of the External actor breaches transform from State-affiliated/Espionage into Organized crime/Financial.  It seems the people who like to go after data for the sheer joy of monetizing it have found a friend in this sector.

    The Web Applications attack pattern includes the Hacking actions, and the favored action variety tends to be the use of stolen credentials. It makes sense—who wouldn’t like credentials when trying to break into some else’s computer?  What burglar would say no to a set of free keys? And while the use of a backdoor or Command and Control (C2) infrastructure is always nice, if you can just waltz in the front door, why exert yourself?  Do you enjoy being asked questions?

  • Figure 82
  • What can go wrong will happen to me.

    The Miscellaneous Errors pattern is all about the mistakes your employees make.  Two stand out from the rest in the field of errors for Other Services:  Misconfiguration and Misdelivery (Figure 83).  Misconfiguration errors are the frenemies of Information Security. These breaches are caused by Internal actors (frequently a system admin or DBA, as they have access to large amounts of data) doing things such as standing up an instance of the data on a cloud platform, but neglecting to put in any security controls to limit access.  Once that happens, it is a matter of time before the intrepid security researchers out there find it via their search tools and someone gets a call.

    Misdelivery - when sensitive data goes to the wrong recipient(s) - is the other most Common Error in this sector. A good example is when the autocomplete in an email To: or Cc: field occurs and directs to the incorrect party. In other instances, it is the mass-mailing misstep where the addresses are no longer paired with the correct contents.  It is never good to have your customer open a letter only to find someone else’s Personally Identifiable Information (PII) inside.

    Finally, we have the Everything Else pattern, which is our version of potpourri.  This is where the attacks that do not meet the criteria of the other patterns end up.  Not exactly the fragrant flowers of the security breach world, these attacks are frequently made up of phishing attacks in which not a great deal of detail was provided.  

    The business email compromises also live within this pattern.  They typically come in two main flavors:  the pretext and the C-level impersonation.  For the pretext, there is an invented scenario and usually an attempt to get either an invoice paid or a direct wire transfer to an adversary-controlled bank account.  They may compromise the mail account of the executive and wait until the person is traveling to elevate the sense of urgency, and to minimize the ability to contact the person in order to verify the legitimacy of the request.  The latter type is when the actor pretends to be a member of the executive suite, but they ask for data rather than a wire transfer.  Figure 84 illustrates that phishing and pretexting are still thriving in this vertical.  Both of these social engineering actions typically arrive via email.

  • Figure 83
  • Figure 84