DBIR Report 2022 - Intro to Regions

+44 118 905 5000

2022 DBIR

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

This edition of the DBIR marks the third year that we have analyzed incidents and presented them from a macro-region perspective. It is our hope that our readers find this more global view of cybercrime helpful and informative. As we have mentioned in the past, we have greater or lesser visibility into a given region based on numerous factors such as contributor presence, regional disclosure regulations, our own caseload and so on.

If you reside and work in a part of the world that is not mentioned in the following pages, please contact us about becoming a data contributor and encourage other organizations in your area to do the same, so that we may continue to expand and refine our coverage each year. It is important to keep in mind that if you do not see your region represented here it does not necessarily mean that we have no visibility at all into the region, but simply that we do not have enough incidents in that geographic location to be statistically relevant for a stand-alone section.

We define the regions of the world in accordance with the United Nations M49 standards, which combines the super-region and sub-region of a country together. By so doing, the regions we will examine are as follows:

APAC: Asia and the Pacific, including Southern Asia (034), South-eastern Asia (143), Central Asia (143), Eastern Asia (030) and Oceania (009)

EMEA: Europe, Middle East and Africa, including North Africa (002), Europe and Northern Asia (150) and Western Asia (145)

NA: Northern America (021), which primarily consists of breaches in the United States and Canada

LATAM: Latin America and Caribbean, which consists of breaches in South America (005), Central America (013) and Caribbean (029)

Asia Pacific (APAC)


Frequency		4,114 incidents, 283 with confirmed data disclosure
Top patterns		Social Engineering, Basic Web Application Attacks, and System Intrusion represent 98% of breaches
Threat actors		External (98%), Internal (2%) (breaches)
Actor motives		Financial (54%), Espionage (46%), Secondary (1%) (breaches)
Data compromised		Credentials (72%), Internal (26%), Secrets (18%), Other (11%) (breaches)
What is the same?		Basic Web Application Attacks and Social Engineering continue to be persistent threats for this region.
Summary		APAC experiences a high number of Social and Hacking related attacks, but has a much lower number of ransomware cases than other areas.

This year in APAC we see the well-known trifecta of Hacking (58%), Social (48%), and Malware (36%) taking center stage. The majority of attacks were perpetrated by attackers with Financial (81%) motives. However, state-affiliated (19%) and nation-state (1%) actors with the motive of Espionage (19%) were rather common in APAC as well.

The predominant Hacking action was ‘Use of stolen credentials’ (83%) being mostly used to compromise a web application (60%). The social attacks in this region accounted for approximately twice the number we saw in other regions, and consisted almost exclusively of Phishing (99%). Similar to last year, we saw a comparatively low number of ransomware cases in APAC. Ransomware was involved in 10% of breaches in APAC as opposed to the overall dataset average of 25%.

There were a substantial number of defacement attacks in this region this year (over 2,800), which pushed the attribute of “Integrity” up to 75% of incidents. This is interesting in that our data does not reflect a high number of defacements in other areas of the world. And while a nuisance, they usually have a lesser impact than a ransomware case for example.

Europe, Middle East and Africa (EMEA)


Frequency		1,093 incidents, 307 with confirmed data disclosure
Top patterns		Social Engineering, System Intrusion and Basic Web Application Attacks represent 97% of breaches
Threat actors		External (97%), Internal (3%) (breaches)
Actor motives		Financial (79%), Espionage (21%) (breaches)
Data compromised		Credentials (67%), Internal (67%), Secrets (20%), Other (18%) (breaches)
What is the same?		The patterns are the same top three, but they have rearranged themselves in order. External actors continue to perpetrate the vast majority of breaches in this region.
Summary		The rise of the Social Engineering pattern in this region illustrates the need for controls to detect this type of attack quickly. Credential theft remains a large problem as well, as illustrated in the continued persistence of the Basic Web Application Attacks pattern in EMEA.

The EMEA region, covering Europe, the Middle East and Africa, has seen a sharp increase in the Social Engineering pattern in the past year (to almost 60% of breaches). While the same three patterns continue to afflict the region, Social Engineering was in third place in last year’s data. At the same time, we saw Basic Web Application Attacks plummet (Figure 108). In last year’s report, they accounted for over 50% of the breaches in this region, but have now dropped to the 15% range. The more complex System Intrusion pattern, however, continues to thrive and still holds second place at 30%.

Credential theft remains a problem in this region, and regardless of how threat actors obtain those credentials (the rise of Social Engineering provides a likely answer), once they are acquired they use them against your infrastructure. With the foothold this provides, attackers are then able to leverage their access to obtain more Credentials via Phishing, or utilize details gained from company emails to craft realistic pretexts as part of BEC attacks.

Threat actors are most commonly attacking Web application servers as a means to gaining access (since it is the most easily reached via the internet) along with Email servers. Email servers provide both an opportunity to mine the account’s contents for interesting internal company data for espionage, and a venue to gain more access via phishing other employees. In terms of the people being targeted, unsurprisingly, phishers like to compromise people in Finance since they have convenient access to the organization’s money transfer capabilities. If they can convince one of those targets to send them currency under the guise of a legitimate transaction, they don’t need to worry about monetizing data.

Northern America (NA)


Frequency		4,504 incidents, 1,638 with confirmed data disclosure
Top patterns		System Intrusion, Social Engineering, and Basic Web Application Attacks represent 90% of breaches
Threat actors		External (90%), Internal (10%), Multiple (1%) (breaches)
Actor motives		Financial (96%), Espionage (3%), Grudge (1%) (breaches)
Data compromised		Credentials (66%), Internal (21%), Personal (20%), Other (20%) (breaches)
What is the same?		The top three patterns remain the same, only their has order changed. External actors continue to hold sway in breaches in this region.
Summary		The System Intrusion pattern has become the dominant pattern in this region. Social Engineering gave way as System Intrusion increased, but there remains a large problem with social actions such as Phishing in Northern America. Basic Web Application Attacks continue to beset organizations here as well.

Since our dataset shows a strong Northern American (NA) bias, we find that as this region goes, so goes the dataset. This is nowhere more evident than when looking at the top three patterns for Northern America. These three mirrors the top patterns for the full dataset. The bias is due to a combination of things. First of all, the breach disclosure laws in NA are quite robust, and they continue to evolve. Determining all the places you must report a breach to in Northern America almost requires a decoder ring and Magic 8 Ball. In addition to this, most of our data sharing contributors have excellent visibility into the NA region, in both private and public sectors. And, frankly, our English is excellent, our French and Portuguese passable, but beyond that our linguistic facilities falter. All of this means we have very good data on this region–more so than any other.

We can see in Figure 109, that while the Social Engineering pattern has held sway for some time as the top pattern in breaches, last year showed a change. The top pattern is now System Intrusion, which is also where most of the Ransomware cases reside. It is surely no secret that Ransomware has been rising for several years and has become quite prominent in our data.

In fact, for cases where malware is present, Ransomware is by far the most common variety (Figure 110). Increasingly over the past several years, this attack has the one-two punch of causing both a loss of access to the data, and the need to report a data breach as the actors have also taken a copy of the organization’s data.

With our Social Engineering pattern comes Social actions, of course. The most common is a straight-up Phish, with Pretexting coming in second (Figure 111).

Pretexting takes more work, so it may be employed against higher-value targets. We see this in cases where a Business Email Compromise attack offers up a fake invoice or something similar to attempt to get either money or banking info from the target. As expected, people in the Finance function of the organization are likely to be the target of more advanced attacks.

In attacks that result in confirmed data breaches, the data type most frequently stolen is, unsurprisingly, Credentials. They are stolen more often than the next two most common varieties combined. Perhaps Credentials are like popcorn, you cannot steal just one.

Latin America and the Caribbean (LAC)


Frequency		92 incidents, 24 with confirmed data disclosure
Top patterns		System Intrusion, Denial of Service, and Social Engineering represent 88% of incidents
Threat actors		External (95%), Internal (7%), Multiple (1%) (incidents)
Actor motives		Financial (92%), Convenience (3%), Espionage (2%), Grudge (2%), Other (2%) (incidents)
Data compromised		System (51%), Credentials (40%), Internal (21%), Other (12%) (incidents)
What is the same?		Financially motivated actors continue to be the main threat actors in this region.
Summary		Much like the rest of the world, Latin American businesses face attacks targeting the functioning of their businesses, such as Ransomware and Denial of Service attacks. These attacks account for 37% and 27% of incidents respectively.

Water might spin in the opposite direction in the Southern Hemisphere, but breaches and incidents seem to go down just as they do elsewhere. Unfortunately, our data collection for this section of the world is still very sparse, and we’re still in need of partners to help us round out our understanding of what’s going on with our friends in the South. If your organization operates in this region please reach out and join us.

Figure 113 provides a breakdown of what industries have been breached in Latin America. While we don’t necessarily have a large number of breaches, we certainly have a diverse collection of compromised organizations, with over 40% of victims not from the top six.

Just like their Northern American counterparts, Latin American industries face the looming threat of ransomware. This attack type accounts for over 30% of their incidents. This is followed by the ever-present DoS attack. This region of the world also experiences its fair share of Phishing attacks and Stolen credentials, which we realize may be beginning to sound like a broken record. Or erg… would a buffering looping advert be the modern equivalent? At this point we’re beginning to get the feeling that some of these attacks are universal to anyone who has some form of internet presence.