Verizon recently released their 2022 Data Breach Investigations Report. Their cybersecurity team reviewed 23,000 incidents and 5,200 confirmed breaches from around the world; here’s what they found.
Most Attacks Were External
73 percent of data breaches involved an external threat (someone outside the organization). Only 18 percent involved an internal threat.
Business Partners Introduced New Threats
As companies become more interconnected, their business partners introduce additional risks. In 2021, 39 percent of incidents originated with a business partner. This underscores the importance of working with other security-minded organizations.
Most Attacks Were Financially Motivated
As one would expect, most attacks (96 percent) were financially motivated.
Small businesses were less likely to be subjected to non-financially motivated attacks (e.g., those caused by a protest or a personal disagreement) than large corporations.
Payment Card Data was Breached Less Frequently than Personal Data or Credentials
In 2008, when Verizon published their first Data Breach Investigation Report, nearly 84 percent of breaches involved payment data.
That number has gone down dramatically, with personal data and credentials now outpacing both payment data and bank data. In 2021, only around 10 percent of confirmed breaches revealed a consumer’s credit or debit card information.
Verizon attributes this to the much stronger payment card data protection regulations, such as the recently updated Payment Card Industry Data Security Standard. The PCI DSS was first released in 2006 – meaning that most organizations’ payment card security programs were in their infancy when the first report was released in 2008.
However: even with better credit card security regulations, the risk of a breach is not non-existent. There were still 191 confirmed payment card breaches in 2021, and 409 in 2020. Another 219 breaches compromised consumers’ bank information in 2021 (532 in 2020).
Bank Data Was Most Likely to be Revealed via Loss or Misconfiguration
When bank data was breached, it was most likely the result of accidental loss or misconfiguration. It was less likely to be the result of social engineering, web application attacks, or abused access privileges.
Payment Data Breaches Were Most Common in the Retail and Accommodation/Food Services Industries
Some industries are obvious targets for data breaches. Finance and healthcare, for instance, were among the top five most commonly targeted industries. However, personal data and medical data were the most commonly compromised forms of data in these industries.
Payment card data was most commonly compromised in breaches that targeted the following industries:
- Accommodation and food services (41 percent)
- Retail (24 percent)
Most Breaches Were Detected Within Days – Not Months
As businesses have started paying more attention to their security, they have become much more efficient at detecting incidents. Nearly 75 percent of incidents were detected in days, rather than months.
What Does the 2022 Verizon Data Breach Report Mean for You As a Merchant?
Our biggest takeaway from the 2022 Verizon Data Breach Investigation Report?
Companies are doing a much better job of protecting their customers’ payment data than ever before. However, while more secure technologies have gone a long way in reducing payment card data breaches data, merchants must remain committed – and vigilant – when it comes to protecting their customer’s information.
At Curbstone, we’re here to help you keep your customers’ payment data as secure as possible while reducing your compliance requirements. Remote Tokenization prevents card numbers, security codes, and expiration dates from touching your system – which means they’re less vulnerable to a breach, should one occur. It also lets you take most – if not all – of your infrastructure out of scope for PCI self-assessment questionnaires, reducing your reporting requirements and giving you a simpler path to compliance.
To learn more about secure, PCI-compliant credit card processing, contact us today.
This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).