2020 Data Breach Investigations Report

Here we are at another edition of the DBIR. This is an exciting time for us as our little bundle of data turns 13 this year. That means that the report is going through a lot of big changes right now, just as we all did at that age. While some may harbor deeply rooted concerns regarding the number 13 and its purported associations with mishap, misadventure and misfortune, we here on the team continue to do our best to shine the light of data science into the dark corners of security superstition and dispel unfounded beliefs.

With that in mind, we are excited to ask you to join us for the report’s comingof- age party. If you look closely, you may notice that it has sprouted a few more industries here and there, and has started to grow a greater interest in other areas of the world. This year, we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches. The resultant findings are spread throughout this report.

This year, we have added substantially more industry breakouts for a total of 16 verticals (the most to date) in which we examine the most common attacks, actors and actions for each. We are also proud to announce that, for the first time ever, we have been able to look at cybercrime from a regional viewpoint—thanks to a combination of improvements in our statistical processes and protocols, and, most of all, by data provided by new contributors—making this report arguably the most comprehensive analysis of global data breaches in existence.

We continue to use the VERIS framework to classify and analyze both incidents and breaches, and we have put additional focus on this process in order to improve how VERIS connects and interacts with other existing standards. We also aligned with the Center for Internet Security (CIS)4 Critical Security Controls and the MITRE ATT&CK®5 framework to improve the types of data we can collect for this report, and to map them to appropriate controls.

A huge “thank you” is in order to each and every one of our 81 contributors representing 81 countries, both those who participated for the first time in this year’s report, and those tried-andtrue friends who have walked this path with us for many years. This document, and the data and analysis it contains, would not be possible without you, and you have our most sincere thanks and heartfelt gratitude. And while we are on that topic, the way to continue to grow and improve is to have more quality organizations like yours join us in this fight against the unknown and the uncertain. Therefore, we urge you to consider becoming a data contributor and help us to continue to shed light into dark places.

Finally, thank you, our readers, for sticking with us these many years and for sharing your expertise, advice, encouragement and suggestions so that we can continue to make this report better each year.

Sincerely,
The DBIR Team