Election Security Spotlight – Verizon Data Breach Report 2019

What it is

The Verizon Data Breach Investigations Report (DBIR) is an annual report produced by the Verizon Threat Research Advisory Center (VTRAC). The 2019 report is the 12th installation of its kind produced by VTRAC. The DBIR focuses specifically on breaches rather than incidents in general. An incident is a security event that compromises the integrity, confidentiality or availability of an information asset. A breach is an incident that results in the confirmed disclosure of data to an unauthorized party. The report provides analysis on data breach trends affecting a variety of sectors, including public administration, healthcare, and education.

Why does it matter

Election officials should be aware of trends and patterns in data breach incidents as the consequences of a breach remain long after the conclusion of the incident response process. This is of heightened concern for election offices as 16% of the breaches identified by VTRAC affected public sector entities. Election offices should be aware of the major trends associated with data breaches in order to better prioritize their defenses. For example, cyber-espionage, privilege misuse, and insider errors represent 72% of all breaches affecting the public sector, while phishing was the most pervasive attack vector resulting in data breaches overall, so priority should be given to protecting against those particular threats. Additionally, election-related data breaches, legitimate or hoaxed, often receive increased scrutiny in the media, so understanding the common vectors and methods will allow election officials to better communicate in the event of an incident.

What you can do

Election officials should review the attached summary of the Verizon DBIR. The information in the report should be considered when creating data security policies. To address the major trends affecting the public sector, the EI-ISAC recommends election offices should take the following steps:

  • Election officials should work with their security staff to create policies and enact training programs to mitigate the risks posed by phishing attacks. DHS offers no-cost phishing campaign assessments through its National Cybersecurity Assessments and Technical Services (NCATS) program.
  • Ensure that incident response plans account for cyber incidents, including data breaches. The EI-ISAC/MS-ISAC Business Resiliency Workgroup provides templates and guides that can be used as a starting point.
  • Incident response plans should be tested prior to the occurrence of an incident to facilitate a speedy recovery. Quick tabletop exercises that can assist with planning a response are also available through the EI-ISAC.
  • Ensure the principle of least privilege is followed to restrict access to sensitive information to a need to know basis.


The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].