4 Curated Insights from Verizon’s 2022 Data Breach Investigations Report

Teck Wu4/6/2023 6 Min Read

And what security engineers can do to prevent data breaches

This year's Data Breach Investigations Report (DBIR) offered no surprises. Financial or personal gain still is the leading reason for breaches, and this means personal information and credentials are main marks for exfiltration --- the same ol' story.

Furthermore, with Covid bringing forth a new digital revolution, compounded by stay-at-home work style shifts, the surface of attack has also increased tremendously. Companies, in response or pre-emptively, have started putting more focus on protecting such assets, as their value has increased in response to consumer reactions on breaches and regulative changes. This increased in security has always brought forth a change in attack styles, as we will see later.

Sharp rise in use of stolen credentials

It is unfortunate that if you can access your cloud instances directly from the internet via credentials, so can criminals. Criminals love credentials, because as long as the credentials are valid, the system would allow the user to enter --- a perfect disguise.

(Diagram from Verizon's DBIR 2022)

With many companies migrating to cloud, credentials will become more ubiquitous as a method to access resources, either as a temporary measure or permanent. Growing use of cloud corporate applications also means more sharing of credentials over non-secure channels e.g. communications and ticketing, an ever-expanding exposure surface as companies adopt more and more SaaS applications.

Proper security processes to prevent employees from misusing or misplacing credentials will be needed. With measures taking time to be implemented and integrated, pilfering of credentials will likely continue to rise.

Exponential growth in ransomware

Ransomware. You see them in the news all day. But who knew they would be so effective, to the point hackers use them so vagrantly.

The exponential growth in ransomware --- a 13 basis points increase in 2021 alone --- suggests the growing recognition of data ransom as a lucrative endeavour in the cybercriminal space. Front-page coverage of ransomware attack and fines also amplified the negatives for a company's software reliability, implying the importance of being aware of its intrusion and having mitigation tools implemented.

(Diagram from Verizon's DBIR 2022)

High internal privilege misuse

A high number of 176 instances alone in 2021 suggests not just the need for building access privilege trust within the company, but also the convenience of doing so. From a security operations standpoint, this implies the ease of granting privileges and the over-granting of privileges within the corporation.

A simple example of over-privilege: allowing of a user or role to access another resource they were not supposed to have access to.

On the HIPAA end, with 22% of data exfiltrated medical-related, it suggests many healthcare companies are still lacking the right system and infrastructure in place to ensure data security posture and compliance.

Internal actors still prevalent

Internal threats are still a constant in the industry. 15 years in, breaches by internal actors still hold a steady percentage of just below 20%. Even though it is the biggest count, it does not suggest not making the checks and balances needed. Internal actors in fact exfiltrate 10x more records than external ones.

The back-of-the-napkin math[1] suggests that internal actors are 2.5x more dangerous than external ones, since count of records are the basis of many breach violation fines.

Diagram from Verizon's DBIR 2022

2R = 0.2 * 10R for internal
0.8R = 0.8 * 1R for external

What you as a security engineer can do

We covered different insights that all coincides to have a proper data security management program, and having the right process to cover all data exposure is key before figuring out the tools needed.


The first thing to do is to discover all data sources in your company. This means not sure the deployment infrastructure you have (AWS, GCP, Azure), but also all applications where data is in human or bot motion (e.g. Slack, GDrive, Jira). There can also be databases that are hidden in plain sight which are deployed within container instances that need to be mapped out as well. Logs of containers can also sometimes leak sensitive information if error handing is not dealt with proper. Having access to all of them would be crucial for the next step.


The next step is to classify your data into the ones that are sensitive, which are usually user personal information, and the ones that are not. With access, use a strong sensitive data classification tool (paid or open sourced) to determine which data sources are sensitive. This determination would allow you to know which databases to prioritize and monitor, amongst the different other things you have to do as a security engineer.

Classification also entails constantly updating them to be up-to-date with the newest data. For databases, this can either be hooking up the data classification tool, or having them hooked up to a data catalog for decentralised tagging across departments, or both. Consistent and constant updating is also especially important for corporate applications like Slack where sensitive data is being shared constantly on a day-to-day basis.


This next step is very crucial, because it would determine how secure your databases are. Configuring in simple terms would be to add the necessary encryption and authentication needed to ensure tight access to only the right personnel. It can also mean building the right alerts for when new sensitive data is introduced into your tracked databases, or when sensitive data is leaked due to error handling in code or when data is in motion via employee sharing. Configuration can be a science (and not rocket science) with the right tools in place.


After discovering, classifying, and setting up the basic configurations, when sensitive data is discovered, a strong and tight process will be required to ensure that the data is properly tracked, permissioned, access revoked, deleted etc. which is what remediation is all about. This means having the right tools to perform remediation at scale, and also to verify that the remediation has indeed happened.

All steps combined

It might seem daunting for a security engineer or even a team of engineers to build such workflows to cover all data sources. This is what Borneo is built for, to help you automate your Discovery, Classification, Configuration, and Remediation at the scale of all your data sources --- a data security platform to ensure your customers' and employees' sensitive information are properly secured.


Verizon's DBIR 2022 has provided us with new insights that we are happy to share with readers and customers to help you understand the data security trends, so that you can know what needs to be done to secure your data assets from leaks and breaches. We hope to share more of such insights in the future.

To learn more about Borneo, do request a demo with us, or drop us an email at [email protected].



Similar Posts

Remote Work @ Borneo (from day 1)

Teck Wu3/28/2023 - 6 Min Read

10x Engineer — Learning your tools and other hacks

Teck Wu4/3/2023 - 7 Min Read

Privacy Observability — Why Is It Needed Urgently?

Teck Wu4/4/2023 - 4 Min Read

Choose real-time data protection. Choose Borneo.

Manage risk, increase trust, and accelerate innovation across your entire data ecosystem.