Top Risks

Lessons Learned From a Decade of Data Breaches

F5 Labs researched 433 breach cases spanning 12 years, 37 industries, and 27 countries to discover patterns in the initial attacks that lead to the breach.
December 07, 2017
30 min. read

Executive Summary

F5 Labs researched 433 breach cases spanning 12 years, 37 industries, and 27 countries to discover patterns in the initial attacks that lead to the breach.

We can only know about a small fraction of what’s really going on, as companies often don’t know when they have been breached. There’s always a complicated mix of visibility, logging, monitoring and alerting, and communication that has many opportunities to fail.



We also analyzed the primary root causes of the breaches, how that varied in breach remediation costs by industry, and the impact of these breaches on each data type breached on the global scale. The purpose of our analysis was to identify where organizations are most likely to be attacked in a way that will result in a breach so that efforts to mitigate attacks can be appropriately aligned.

These challenges result in only a small fraction of incidents being investigated and an even smaller amount of incidents being reported. That said, we think there are still valuable insights to be gained from these cases. Of the reported cases we analyzed, 79% of them had breach counts publicized, but only 49% had enough data to determine the initial attack vector, and only 40% a root cause. Finding a root cause can be tough. If you don’t have enough of the visibility and logging controls in place, you may never know how an attacker got in, what they took, and how much. If a company doesn’t know this information for a fact, there are many legal loopholes that excuse them from disclosing the incident at all. In some cases, this information is also held confidential due to law enforcement investigation—which is why we also reviewed the detailed court records of recent major breach cases.

Nevertheless, the number of breaches we know about, the types of data breached, and the total record counts and their impact is staggering. Here’s a summary of the most impactful findings:

  • Applications were the initial targets in 53% of breaches.
  • Identities were the initial targets in 33% of breaches.
  • Breaches that start with application attacks account for 47% of the breach costs but only 22% of the total breached records, making application attacks the costliest.


  • Breaches that start with identity attacks account for 75% of the total count of records but only 24% of the breach costs, making them the most bountiful attack target for attackers, and the least impactful on breached businesses.
    • The high record count plus low cost likely has something to do with the type of records breached. Email, usernames, and passwords are breached at the highest volume and are not yet regulated where costly disclosures are required. Yet these data elements are all an attacker needs to access business confidential systems, personal bank accounts, and so on.
  • Vulnerable forums installed on applications are the number one root cause of application attacks, followed by SQL injection.
  • Out of 338 cases with confirmed breach data:
    • 11.8 billion records were compromised, an average of almost 35 million records per breach!
    • 10.3 billion usernames, passwords, and email accounts were breached. That’s 1.36 records per person on the planet, or 32 records per US citizen.
    • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.
  • There have been so many breaches that attacker databases are enriched to the point where they can impersonate an individual and answer secret questions to get direct access to accounts without ever having to work through the impacted party.
  • Dating and adult sites are compromised frequently, some of which contain the most deeply personal information about individuals, including sexual orientation and fetishes.
  • Both definitions of “social engineering” are now applicable for cyberattacks:



To see the full version of this report, click “Download” below.

Join the Discussion
Authors & Contributors
Sara Boddy (Author)
Raymond Pompon (Author)

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read