2025 Data Breach Investigations Report: Third-party breaches double

The exploitation of vulnerabilities has seen another year of growth as an initial access vector for breaches, reaching 20%, according to Verizon’s 2025 Data Breach Investigations Report. Researchers analyzed 22,052 real-world security incidents, of which 12,195 were confirmed data breaches. This was an increase of 34% in relation to last year’s report.

The presence of ransomware, with or without encryption, saw significant growth, a 37% increase from last year’s report. It was present in 44% of all the breaches researchers reviewed, up from 32%. However, the median amount paid to ransomware groups has decreased to $115,000 (from $150,000 last year).

64% of the victim organizations did not pay the ransoms, which was up from 50% two years ago. This could be partially responsible for the declining ransom amounts. Ransomware payments in the blockchain decreased by 35% last year.

Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.

With regard to stolen credentials, analysis performed on infostealer credential logs revealed that 30% of the compromised systems can be identified as enterprise-licensed devices. 46% of those compromised systems that had corporate logins in their compromised data were non- managed and were hosting both personal and business credentials.

GenAI usage rises

A closer-to-home emerging threat from AI is the potential for corporate-sensitive data leakage to the GenAI platforms themselves, as 15% of employees were routinely accessing GenAI systems on their corporate devices (at least once every 15 days).

Even more concerning, a large number of those were either using non-corporate emails as the identifiers of their accounts (72%) or were using their corporate emails without integrated authentication systems in place (17%), most likely suggesting use outside of corporate policy.

Although the involvement of the human element in breaches remained roughly the same as last year, hovering around 60%, the percentages of breaches where a third party was involved doubled, going from 15% to 30%. There were notable incidents this year involving credential reuse in a third-party environment—in which researchers found the median time to remediate leaked secrets discovered in a GitHub repository was 94 days.

While the use of stolen credentials has decreased to 22%, it’s still the leading method of data breaches. Phishing remains around 15%.

The rise in vulnerability exploitation is linked to the surge in edge device vulnerabilities in 2024. In espionage-motivated breaches, vulnerability exploitation as an initial access vector reaches as high as 70%.

“The number of new vulnerabilities disclosed continues to increase sharply, giving cyber defenders a never-ending “to-do list.” Generally, the most critical vulnerabilities should be at the top of the list, especially for edge devices that serve as a metaphorical door into your environment. However, the context around vulnerabilities – where a given vulnerability exists in your environment, what data or systems are potentially at risk, ease of exploitation, the existence of a proof-of-concept, and so much more – drives informed prioritization and remediation. The biggest, baddest vulnerability could be a non-issue in some circumstances depending on context,” Scott Caveza, senior staff research engineer at Tenable, told Help Net Security in an email.

Business Email Compromise

BEC is big business. In 2024 alone, according to the FBI IC3, more than $6.3 billion was transferred as part of these scams. Although the total number is increasing, the median amount of money extracted from victims has become relatively consistent and has settled around the $50,000 mark.

In terms of how the money is sent, cybercriminals still by and large prefer to pilfer via wire transfer, which made up approximately 88% of all BEC proceeds.

About 88% of the breaches involve the use of stolen credentials, which sometimes serves as both the first and only action, while other times, it is just one piece of a larger attack chain.

In 2024 alone, more than 2.8 billion passwords (hashed or otherwise) were posted for sale (or free for the taking) in criminal forums. In addition to passwords (regardless of hash status), researchers found email addresses (61% of breaches), phone numbers (39%), government-issued IDs (22%) and even the occasional passport (1.8%).

Not only do these compromised databases add to the pool of potentially compromised passwords, but they’re also handy for criminals looking to collect various key personal information on individuals for follow-up fraud and
social attacks.

Various sectors

The educational services sector saw a decrease in the number of both incidents and breaches that occurred in this sector. External actors are behind 62% of the attacks, with 59% of those being organized crime.

Financially motivated threat actors still dominate attacks on the financial and insurance sector, targeting nearly any data they can access. However, espionage-driven attacks are on the rise this year.

The healthcare sector remains a prime target for cyberattacks and shows a slight increase in incidents and breaches this year. The report notes 1,710 incidents, 1,542 with confirmed data disclosure.

The manufacturing industry experienced a rise with regard to number of breaches this year, with 1,607 confirmed data breaches as opposed to only 849 last year. Although the majority of threat actors targeting this sector continue to be financially motivated external actors (87%), it is quite interesting that 20% of manufacturing breaches had the motive of espionage (compared to only 3% last year).

The retail industry has seen an increase in cyber incidents, though the focus has shifted from payment card data to other data types that are easier to access.

Ransomware remains a major threat, hitting 30% of breaches across all levels of government. 43% of ransomware victims represent local governments in the U.S. in locations such as the Southeast and Midwest. Councils are also being targeted across the world, notably in Europe, Middle East and Africa (EMEA).

“This year’s DBIR findings reflect a mixed bag of results. Glass-half-full types can celebrate the rise in the number of victim organizations that did not pay ransoms with 64% not paying vs 50% two years ago. The glass-half empty personas will see in the DBIR that organizations that don’t have the proper IT and cybersecurity maturity – often the SMB sized organizations, are paying the price for their size with ransomware being present in 88% of breaches,” said Craig Robinson, Research Vice President, Security Services at IDC.