The Verizon Data Breach Investigations Report (DBIR) released its annual summary for 2019. During 2019 the report confirms 32,002 incidents, 3,950 of which are breaches. Topping out at 119 pages, here’s a quick overview before you go “all in.”   

A potential entry becomes “eligible” for the incident/breach after a couple of key requirements are met. First, the entry is defined as a loss of confidentiality, integrity or availability. In addition to meeting the baseline definition of “security incident,” the entry is assessed for quality. The report creates a subset of incidents that pass Verizon’s “quality” filter.  A “quality incident” is an incident with at least seven enumerations (e.g., threat actor variety, threat action category, variety of integrity loss, et al.) across 34 fields, or be a DDoS attack. Exceptions were occasionally given to confirmed data breaches with less than seven enumerations. Also, the incident must have at least one known VERIS threat action category, such as hacking, malware, etc. 

Incidents and breaches affecting individuals that were not tied to an organizational attribute loss were excluded. Lastly, the incident must have taken place within the time frame of analysis (November 1, 2018 to October 31, 2019). So, while they call it the 2020 report, the data reflects information that is already 7+ months old.  

Don’t be concerned about the age of the data: it is several months old every single edition they produce. As this is penned (June 2020) it is very reasonable to anticipate more striking data in the 2021 edition due to the rapid move to home-based work for millions as COVID-19 raged. In fact, the current remote work situation, when added to the expanding use of SaaS, web app, and mobile devices, means the “attack surface” expanded exponentially making it increasingly difficult to stem the tide. The scale of breaches is expected to increase dramatically as attackers take advantage of the unplanned remote worker situation. Most experts are predicting next year’s report to be one of the worst years we have seen. 

While there is so much to digest in the 119 pages, a few of the most interesting points follow. First of all, the vast majority of breaches across all verticals and in all regions, continue to be caused by external actors: 70% of the time - with organized crime accounting for 55% of these. In fact, organized crime is behind a high number of successful attacks -- financial gain remains the key driver -- nearly nine in 10 (86%) of the breaches investigated by Verizon in this year’s edition were classified as “financially driven.” 

Secondly, credential theft and social attacks such as phishing and business email compromises still cause the majority of breaches (more than 67%). As an aside, this data drives home our continued view that so much of our security posture can be improved with increased and regular user education and basic, industry-standard security practices. 

The DBIR offers a great deal of information for security professionals to digest across quite a wide variety of industry sectors (16). However, this year’s report adds several new industries to its breach analysis for the first time, reinforcing that firms across every vertical are being targeted and succumbing to cybersecurity threats. So while every industry in the world is now under the threat radar, some are hit differently than others. We know that The Accommodations and Food Services insights (covered below in a bit more depth) are what you want to know, but first let’s take a rapidly global view. 

While security remains a challenge across the board, there are significant differences across verticals. For example, in manufacturing, 23% of malware incidents involved ransomware, compared to 61% in the public sector and 80% in educational services. Errors accounted for 33% of public sector breaches - but only 12% of manufacturing.

Technology services firms, retail, financial and insurance services and professional services are most vulnerable to compromise -- they not only are the highest aggregators of highly sensitive data, financial and personal, but also traditionally work with a substantial set of 3rd party partners with customer/client data sharing.
This year for the first time, the DBIR offers analysis on macro-regions of the world to “increase the diversity of the data contributors.” Their regional subsets are: APAC, EMEA, LAC (Latin America and Central America) and North America plus Bermuda (oddly busy with breaches).

The North America (NA) region accounts for 69% of all incidents and 55% of all breaches. That does not mean that good security practice has disappeared into the Bermuda Triangle. Understanding data and statistics mean using a few extra moments to interpret. North America arguably has some of the most robust data reporting standards in existence, particularly in healthcare and public administration. Therefore, the number of incidents and breaches seems higher than in regions with less stringent disclosure requirements.   

While this report is becoming increasingly global in scope, many of the entities who contributed are located in and are primarily concerned with Northern American organizations. The outcomes for this region are not too dissimilar from the findings for the overall dataset. Across the entire report (Global perspective all industries combined) the Verizon findings of most import appear to be:
  • 86% of data breaches for financial gain – up from 71% in the 2019 report.  Attackers do not have to be sophisticated to be effective. Only 45% of all breaches in this report involved some kind of traditional hacking and only 4% of the breaches in total had more than four attacker actions. In other words, simple, low-hanging fruit for financial gain continues to dominate this space.
  • Cloud-based data under attack – web application attacks double to 43%!
  • Credentials are still the favorite attack surface, 67% of breaches caused by credential theft, errors and social attacks. And within the past three years, range fluctuates between 75%-81%.
  • The 2020 edition confirms: 43% of data breaches are tied to web application vulnerabilities—which more than doubled year over year. Hacking using stolen credentials was most commonly seen, with social engineering attacks that encourage the sharing of those credentials following suit. Employee error was also routinely observed in the dataset as well.  Web app attacks loom large in North America. Organizations should understand the importance of knowing their infrastructure because web applications provide easy entry points for cyber criminals. It's more than that: the technologies and infrastructure which powers the businesses we rely on are ever increasingly built on top of web technologies. Since Accommodation and Food Service is obviously where readers of Hospitality Upgrade will want to go first, here are the main takeaways.
  • The first and largest trend standing out is that Point of Sale (POS)-related attacks no longer dominate breaches in Accommodation and Food Services. Instead, responsibility is spread relatively evenly among several different action types, such as malware, error and hacking via stolen credentials. Statistically speaking last year’s report had 76% of breaches coming from RAM Scraping vs this year only 33%. That is an incredible drop YOY.

In terms of what is stolen in our sector:
  • Payment Data still leads with (68%), followed by Personal (44%), Credentials (14%), Other (10%) 

As mentioned above, payment data still leads. However, ours is an industry rich in payment data, and that makes for an easy dollar for bad guys. But payment data isn’t the only type of data being compromised.  Verizon points to personal data being compromised, often as a byproduct of attacks, so pay proper attention to your security program outside of your payment card environment.

The team at Verizon spoke with this writer in preparation of the article and suggested the report shows us clearly how “agile the bad guys are” as they are seeing criminal entities pivot to other weaknesses. Once it became obvious that hoteliers and restaurants were focused on their most vulnerable or monitored point of entry (payment card data) cyber criminals were able to sneak in to other parts.

Although financially motivated attackers continue to target our industry for the payment card data held, organized crime has figured out “There’s gold in them thar hills!”  and have aggressively moved on from payment card data theft into the new favorite: crimeware

Crimeware and POS (both malware dependent) represent two of the top three patterns this year for Accommodations and F&B, joined by web applications attacks, which covers both the use of stolen credentials and the exploitation of vulnerabilities. In part it seems the outcome is more lucrative and also because it is low hanging fruit: this industry is still focusing all effort on keeping RAM scraping and protecting card data and little else.

Crimeware, traditionally considered a “commodity threat,” has evolved into a highly lucrative business as criminals are improving their techniques while law enforcement activity grows increasingly ineffectual. Attackers and defenders are entrenched in a longstanding game of cat and mouse, resulting in a rapid expansion of the crimeware threat landscape, and growing sophistication of attacks and malware infrastructure. 

The malware that doesn’t fall into the other patterns is what we consider crimeware. Think of these as the common type of commodity malware that everyone has probably seen on some email claiming to be a fax or a missed delivery package. These incidents and breaches are opportunistic and financially motivated.

Even though POS intrusions are still common, accounting for 16% of breaches in our industry, they are nowhere near their high-water mark back in 2015. This may be (and probably is) indicative of the trend of adversaries to more quickly monetize their access in organizations by deploying crimeware and ransomware rather than pivoting through the environment and spreading malware—a more time-costly endeavor. While the appropriate way to use the findings is to understand how our specific industry is represented, we must understand the sorts of actors and events that not only affect hoteliers, F&B entities and those who partner in some way via technology or services as third-party players but all industries combined.

That is why taking a totally holistic approach to review the entire report and the comprehensive data contained within is considered an ideal way to turn trends around and proactively protect your enterprise.

To close, let’s use an analogy. With the recent COVID-19 pandemic dominating our world, it seems the real takeaway from DBIR 2020 would be to look at this parallel of “Testing! Testing! Testing!”

Verizon mentioned that being compliance driven (vs data driven) is the real issue as it appears our industry still doesn’t seem to fully grasp that testing means little, if anything. Consider what it means to take a COVID-19 swab test. It is simply a momentary view on your health situation at the time the lab dips a swab up your nose (and practically into your brain matter). Assuming the results are reliable, all it does is show whether you are currently in the throes of the illness and contagious or not. It does not show if you’ve already had COVID-19 and recovered and more to the point, as you likely know 3+ months into this pandemic, is very clear that you can take the test this morning and get a negative result yet contract the coronavirus 18 hours later while in line at Walgreens or in the condo elevator taking your laundry to your building’s basement. Further, you can be asymptomatic and as such, UNAWARE of your COVID-19 status.

The entire issue that data security teams at every company must live with and should have already embraced, is that at any moment one may believe one is “safe” or impenetrable because a PEN test was solid or the entire set of boxes were ticked during the audit process. It is a false (and flawed) sense of security to believe that the results of a test or audit mean we can breathe easily and relax. Yet, according to Verizon 2020 DBIR it seems that this lesson is still unlearned.

Given we do not have laws like HIPPA or SOX (Sarbanes Oxley) et al and typically focus pretty exclusively on PCI Compliance, here we are in 2020 with what appears to be a very consistent continued mindset of being ‘compliance driven’ (as opposed to being Data Driven.)

If you know where your data is and what it is doing and where it is going, you are better prepared to protect it. Trying to close the barn door after the cows got away is a tiresome game. As long as the hospitality industry focuses on being compliant, we will continue to be more vulnerable. The top takeaway of this years’ report for our sector shows that all the efforts on protecting POS from RAM Scraping simply reduced that but upped the crimeware and other actions.  

It pains this author to close this analysis with an observation that personal data theft is trending up, now at 49% of retail breaches, overtaking payment data at 47% overall, putting privacy risk high on the agenda. While payment data is still top in our sector, this is a quickly moving world and post-COVID-19 cloud IT (now 24% of investigated breaches) means we have no choice but to modernize data security strategies to neutralize data from attack or else resign ourselves to becoming a victim.

In closing, this year is an earth-shattering year in so many ways. Looking back to see what has been going on in terms of data security and breaches is only useful if we learn and step up to proactive vs reactive mentality and away from compliance. We can’t control so much of our world but one of the few things we can do is ensure your organization’s risk model and countermeasures mitigate the concerns reported by the DBIR.