2024 Data Breach

Investigations Report
Manufacturing Snapshot
 Phishing

Exploit
vulnerabilities

Credentials

Desktop sharing Email VPN Web applications

About the cover
This year, the report is delving deeper
into the pathway to breaches in an effort
to identify the most likely Action and
vector groupings that lead to breaches
given the current threat landscape. The
cracked doorway on the cover is meant
to represent the various ways attackers
can make their way inside. The opening
in the door shows the pattern of our
combined “ways-in” percentages (see
Figure 7 of the full report for a more
straightforward representation), and
it lets out a band of light displaying a
pattern of the Action vector quantities.
The inner cover highlights and labels
the quantities in a less abstract way.
Hope you enjoy our art house phase.
Table of
contents

Welcome 5

Summary of findings 6

Incident Classification Patterns 9

Insights for Manufacturing 12

2024 Data Breach Investigations Report Manufacturing Snapshot 4

Welcome
Hello, and welcome to the Verizon Data Breach Investigations
Report (DBIR) Manufacturing Snapshot.

The DBIR aims to provide security About the 2024 DBIR The standard uses two- to six-digit
professionals with an in-depth analysis codes to classify businesses and
of data-driven, real-world instances of
incident dataset organizations. Our analysis is typically
cybercrime and how cyberattacks play Each year, the DBIR timeline for in- done at the two-digit level, and we will
out across organizations of different scope incidents is from November 1 specify NAICS codes along with an
sizes as well as from different verticals of one calendar year through October industry label. For example, a chart
and disparate geographic locations. 31 of the next calendar year. Thus, with a label of Manufacturing (NAICS
We hope that by doing so, we can the incidents described in this year’s 31–33) is not indicative of 31–33
provide you with insight into what report took place between November as a value. “31–33” is the code for
particular threats your organization is 1, 2022, and October 31, 2023. The the Manufacturing sector. Detailed
most likely to face and thereby help 2023 caseload is the primary analytical information on the codes and the
prepare you to handle them in the best focus of the 2024 report, but the classification system is available here:
possible manner. entire range of data is referenced
throughout, notably in trending graphs. https://www.census.gov/
As in past years, we will examine what The time between the latter date and naics/?58967?yearbck=2012
our data has to tell us about threat the date of publication for the report
actors and the tools they employ is spent in acquiring the data from
against enterprises. This year, we our global contributors, anonymizing
analyzed 30,458 real-world security and aggregating that data, analyzing

30,458
incidents, of which 10,626 were the dataset, and finally creating the
confirmed data breaches (a record graphics and writing the report.
high!), with victims spanning
94 countries.
Industry labels security incidents
This data represents actual, real-world investigated
breaches and incidents investigated by This snapshot highlights important
the Verizon Threat Research Advisory takeaways for the Manufacturing
Center (VTRAC) or provided to us by (NAICS 31–33) sector, which includes
one of our global contributors without establishments engaged in the
mechanical, physical or chemical

10,626
whose generous help this document
could not be produced. We hope you transformation of materials, substances
can use this report and the information or components into new products.
it contains to increase your awareness
In the DBIR, we align with the North confirmed breaches
of the most common tactics used
American Industry Classification
against organizations at large and your
System (NAICS) standard to categorize
specific industry. It offers strategies
the victim organizations in our corpus.
to help protect your company and its
assets. Read the full report for a more
detailed view of the threats you may
face today at verizon.com/dbir.

2024 Data Breach Investigations Report Manufacturing Snapshot 5

Summary of
findings
They’re exploiting
our vulnerabilities.
Our ways-in analysis witnessed a
substantial growth of attacks involving
the exploitation of vulnerabilities as
the critical path to initiate a breach
when compared to previous years—
almost tripling (180% increase) from
last year. This was largely due to the
effect of MOVEit and similar zero-day
vulnerabilities, primarily leveraged by
ransomware and other extortion-related
threat actors using Web applications as
their initial entry points.

Figure e06e6468. Select ways-in enumerations in non-Error, non-Misuse breaches

Figure 1. Select ways-in enumerations in non-Error, non-Misuse breaches (n=6,963)
(n=6,963)

Ransomware and Extortion

are significant threats.
Roughly one-third of all breaches
involved Ransomware or some other
Extortion technique. Pure Extortion
attacks have risen over the past year
and are now a component of 9% of all
breaches. Ransomware actors have
moved toward these newer techniques,
Figure 406b8170. Ransomware and Extortion breaches over time resulting in a bit of a decline in
Figure 2. Ransomware and Extortion breaches over time Ransomware to 23%. However,
when combined, they represent a
strong growth to 32% of breaches.
Additionally, Ransomware was a top
threat across 92% of industries.

2024 Data Breach Investigations Report Manufacturing Snapshot 6

 We’ve identified the
most common ways in.
We have revised our calculation of
the human element in breaches to
exclude malicious Privilege Misuse
to provide a clearer metric of what
security awareness can impact. For
this year’s dataset, the human element
was a component of 68% of breaches,
roughly the same as the previous
period described in the 2023 DBIR.

In this issue, we are introducing

an expanded concept of a breach
involving a third party to include partner
infrastructure being affected and
direct or indirect software supply chain
issues—including when an organization
is affected by vulnerabilities in third-
party software. In short, these are
the breaches an organization could
potentially mitigate or prevent by trying
to select vendors with better security
track records. We see this figure at
15% this year, a 68% increase from the
previous year, mostly fueled by the use
of zero-day exploits for Ransomware
and Extortion attacks.

Our dataset saw a growth of breaches

involving Errors, now at 28%, as we
broadened our contributor base to
include several new mandatory breach
notification entities. This validates
our suspicion that errors are more
prevalent than media or traditional
incident response–driven bias would
have us believe.
Figure c6bb8d59. Select key enumerations in breaches
Figure 3. Select key enumerations in breaches

2024 Data Breach Investigations Report Manufacturing Snapshot 7

 Falling for Phishing
happens fast.
The overall reporting rate of Phishing
has been growing over the past few
years. In security awareness exercise
data contributed by our partners during
2023, 20% of users reported phishing
in simulation engagements, and 11%
of the users who clicked the email
also reported. This is welcome news
because the median time to click on a
malicious link after the email is opened
is 21 seconds and then only another
28 seconds for the person caught in
Figure 4c70a87f. Phishing email report rate by click status the phishing scheme to enter their
Figure 4. Phishing email report rate by click status data. This leads to an alarming finding:
The median time for users to fall for
phishing emails is less than
60 seconds.

They go where the money is.

Financially motivated threat actors
will typically stick to the attack
techniques that give them the most
return on investment.

Over the past three years, the

combination of Ransomware and other
Extortion breaches have accounted for
almost two-thirds (fluctuating between
59% and 66%) of those attacks.
According to the FBI’s Internet Crime
Complaint Center (IC3) ransomware
complaint data, the median loss
associated with the combination of
Ransomware and other Extortion
Figure 1ee8b0a9. Select action varieties in Financial motive over time
Figure 5. Select action varieties in Financial motive over time breaches has been $46,000, ranging
between $3 (three dollars) and
$1,141,467 for 95% of cases. We also
found from ransomware negotiation
data contributors that the median
ratio of initially requested ransom
and company revenue is 1.34%, but it
fluctuated between 0.13% and 8.3% for
80% of the cases.

Similarly, over the past two years, we

have seen incidents involving Pretexting
(the majority of which had Business
Email Compromise [BEC] as the
outcome) accounting for one-fourth
(ranging between 24% and 25%) of
financially motivated attacks. In both
years, the median transaction amount
of a BEC was around $50,000.

2024 Data Breach Investigations Report Manufacturing Snapshot 8

Incident
Classification
Patterns
The DBIR first introduced the Incident Classification Patterns in 2014 as a useful
shorthand for scenarios that occurred very frequently. In 2022, due to changes in
attack type and the threat landscape, we revamped and enhanced those patterns,
moving from nine to eight—the seven you see in this report and the Everything Else
“pattern,” which is a catch-all for incidents that don’t fit within the orderly confines
of the other patterns.

These patterns are based on an elegant machine-learning clustering process,

equipped to better capture complex interaction rules, and they are much more
focused on what happens during the breach. That makes them better suited for
control recommendations, too.

Here are our key findings for each pattern:

System Intrusion Ransomware attacks continue to drive the growth of this pattern as they now
account for 23% of all breaches and 70% of the incidents within System Intrusion.
These are complex attacks
that leverage malware and/or • Ransomware (or some type of Extortion) appears in 92% of industries as one of
hacking to achieve their objectives,
the top threats.
including deploying ransomware.
• Analyzing the FBI Internet Crime Complaint Center dataset this year, we found
that the median adjusted loss (after law enforcement worked to try to recover
funds) for those who did pay was around $46,000.
• Traditional Ransomware’s prevalence declined slightly to 23%. However, roughly
one-third (32%) of all breaches involved some type of Extortion technique,
including Ransomware. The meteoric growth of Extortion attacks made this
combined threat stand out in our dataset.

Social Engineering More than 40% of incidents involved Pretexting, and 31% involved Phishing. Other
tried-and-true tactics include attacks coming in via email, text and websites.
This attack involves the psychological
compromise of a person that alters • Phishing and Pretexting via email continue to be the leading cause of incidents in
their behavior into taking an action or this sector, accounting for 73% of breaches.
breaching confidentiality.
• The median time for users to fall for phishing emails is less than 60 seconds.
• More than 20% of users identified and reported phishing per engagement,
including 11% of the users who did click the email.
• Over the past two years, roughly one-fourth (between 24% and 25%) of financially
motivated incidents involved Pretexting, the majority of which resulted in a
Business Email Compromise (BEC). In both years, the median transaction amount
of a BEC was around $50,000.1

1. According to the FBI’s Internet Crime Complaint Center ransomware complaint data

2024 Data Breach Investigations Report Manufacturing Snapshot 9

Basic Web Application Attacks Financially motivated external actors continue to target credentials and
personal information.
These attacks are against a web
application, and after the initial • Over the past 10 years, stolen credentials have appeared in almost one-third
compromise, they do not have a (31%) of breaches.
large number of additional Actions.
It is the “get in, get the data and • Our dataset shows just over 8% of breaches in the Basic Web Application
get out” pattern. Attacks pattern.
• After examining postings from marketplaces dedicated to selling and reselling
credentials and cookies collected from password stealers, we found that 65% of
these credentials were posted for sale on criminal forums less than one day from
when they were collected.
• There is no substantial difference between large organizations (55%) and small
organizations (47%) in the Basic Web Application Attacks pattern.

Miscellaneous Errors More than 50% of errors were the result of Misdelivery, continuing last year’s trend,
while other errors, such as Disposal, are declining.
Incidents where unintentional actions
directly compromised a security • Misconfiguration is the next most common error and was seen in approximately
attribute of an information asset fall 10% of breaches.
into this pattern. This does not include
lost devices, which are grouped with • Classification errors, Publishing errors and Gaffes (verbal slips) are all relatively
theft instead. tightly packed in order of mention. Disposal errors continue to decline ever so
slightly (as has been the general trend for the last several years) and accounted
for just over 1% of the cases in this pattern.
• End-users now account for 87% of errors, emphasizing the need for universal
error-catching controls across industries.

Denial of Service Denial of Service is responsible for more than 50% of incidents analyzed this year.
These attacks are intended to
• Our ongoing analysis of content delivery network (CDN)-monitored, web
compromise the availability of networks
application-focused Denial of Service attacks shows that even though the median
and systems. This includes both
attack size has reduced slightly from 2.2 gigabits per second (Gbps) to 1.6 Gbps,
network and application layer attacks.
the 97.5th percentile of those attacks increased to 170 Gbps from the previous
high of 124 Gbps.
• Subject matter experts (SMEs) continue to report the growth of low-
volume, persistent attacks on high-interaction services such as Domain
Name System (DNS).

2024 Data Breach Investigations Report Manufacturing Snapshot 10

Lost and Stolen Assets Devices are still much more likely to be lost than stolen. Laptops continue to be a
risk for loss in particular.
Incidents where an information
asset went missing, whether through • This year we saw a higher percentage of incidents involving Assets in this pattern
misplacement or malice, are grouped causing confirmed data breaches, with last year showing about 8% confirmed
into this pattern. breaches and this year showing a surprising 91%.

Privilege Misuse In our prior report, we saw collusion—multiple actors working in concert to achieve
the goal of the breach—at 7%, which, while nowhere near the highs we saw back in
These incidents are predominantly
2019, was still a surprise. This year, things seem to have gone back to normal, and
driven by unapproved or malicious
we are seeing collusion dropping to less than 1% of breaches.
use of legitimate privileges.
• Employees are largely taking Personal data—this is likely about taking
customers’ information.
• Internal actors are again largely working on their own in this pattern. The Financial
motivation remains in ascension, while Espionage is a distant second. Personal
data is still the main targeted data type.
• We saw Internal data show a bit of a spike this year as well, which would include
sensitive plans and intellectual property that would attract the Espionage-
motivated employee.
• Finally, Banking data is remaining mostly steady over time as a targeted data type.

Table 1. Incident Classification Patterns key findings

2024 Data Breach Investigations Report Manufacturing Snapshot 11

Insights for
Manufacturing

NAICS
31–33
Frequency 2,305 incidents, System Intrusion continues to hold
849 with confirmed This year’s model on to the top spot in Manufacturing.
data disclosure This is probably related to the still
This year’s Manufacturing model
very effective combination of hacking
comes with a new and improved
Top patterns System Intrusion, via Use of stolen credentials (present
feature: Errors! As in most other
Social Engineering in 25% of manufacturing breaches)
industries, Misdelivery is the error
and Miscellaneous to gain access to the environment
du jour, accounting for almost half
Errors represent 83% and then the liberal application of
(48%) of error-related breaches. As
of breaches Ransomware (involved in 35% of
we have mentioned elsewhere, this is
breaches in this vertical). It’s hard
in part the result of contributor bias,
Threat actors External (73%), to keep the gadgets rolling off the
but nevertheless, sending things to
Internal (27%) assembly line when your data is
the incorrect recipient does appear to
(breaches) locked up tight and someone else
be somewhat widespread regardless
holds the keys.
Actor motives Financial (97%), of vertical. Loss and Misconfiguration
Espionage (3%) round out the top three error varieties,
(breaches) and they account for approximately
20% and 18% of breaches, respectively.
Data Personal (58%),
compromised Other (40%),
Credentials (28%),
Internal (25%)
(breaches)

What is the Two of the top Social Engineering

System Intrusion
same? patterns from last
year are still in place.
Financial motivation
continues to be the
driver behind most
attacks. Miscellaneous Errors

Summary Figure 66. Top patterns over time in Manufacturing industry breaches
Manufacturing has seen an increase Figure 6. Top patterns over time in Manufacturing industry breaches
in Error-related breaches. The
installation of malware after hacking
via the Use of stolen credentials
is somewhat commonplace.

2024 Data Breach Investigations Report Manufacturing Snapshot 12

It’s your asset on the
(manufacturing) line
Social Engineering remains steady with
regard to breaches in this vertical due
to action varieties such as Phishing
(55%) and Pretexting (42%). Apparently,
consumer feedback branded the Basic
Web Application Attacks pattern as so
2022, and it now languishes near the
bottom of the pattern rankings with the
likes of Privilege Misuse. In fact, the
asset of Server–Web app has been on a
slightly downward trajectory. Figure 67 Figure 67. Top Asset varieties over time in Manufacturing industry breaches
Figure 7. Top Asset varieties over time in Manufacturing industry breaches
illustrates this decline and also shows
the corresponding rise of Server–Mail.
This makes sense when, as mentioned
above, one considers that Phishing
remains prevalent in the Manufacturing
vertical. Of course, the credentials
typically obtained via phishing are those
that afford the criminal a foothold into
the organization via the email account
of the victim.

Figure 68. Top Action varieties in

Figure 8. Top Action
Manufacturing varieties
industry in
breaches
Manufacturing industry breaches

2024 Data Breach Investigations Report Manufacturing Snapshot 13

Stay informed
and threat ready.
Facing today’s threats requires intelligence from an authoritative
source of cybersecurity breach information.
The full DBIR contains details on the actors, actions and patterns that
can help you prepare your defenses and educate your organization.
Read the full 2024 DBIR at verizon.com/dbir.

Questions? Comments? Concerns? Love to share

cute pet pictures?
Let us know! Send us a note at dbir@verizon.com, find us on LinkedIn, tweet
@VerizonBusiness with #dbir. Got a data question? Tweet @VZDBIR!

If your organization aggregates incident or security data and is interested in becoming a

contributor to the annual Verizon DBIR (and we hope you are), the process is very easy
and straightforward. Please email us at dbircontributor@verizon.com.

© 2024 Verizon. OGREP4030624

2024 Data Breach Investigations Report Manufacturing Snapshot 14