According to the Verizon 2025 Data Breach Investigations Report, vulnerability exploitation for preliminary access to victim systems increased by 34% to 20%. Nearly 22% of breaches involved breached credentials. Phishing was involved in 16% of all breaches, becoming the third most frequently used initial access vector.
Since 2007, Verizon has consistently published the DBIR annual reports. This year, the report includes 22,052 security incidents in 139 countries from November 1, 2023, to October 31, 2024. The information is based on the investigations performed by the Verizon Threat Research Advisory Center, along with anonymized information given by entities like the UK National Crime Agency, Federal Bureau of Investigation, CERT-EU, and others. The report contains information on the security incidents and data breaches, with the former comprising a security event that impacted the confidentiality, integrity, or availability of a data asset, whilst a breach entails unauthorized information access. Of the 22,052 security occurrences contained in the data, 12,195 were determined to be breaches due to unauthorized access to sensitive information.
The rise in vulnerability exploitation was prompted partly by zero-day exploits (22% of all vulnerability exploitation incidents) to acquire access to edge and VPN gadgets. Verizon states that only around 54% of vulnerabilities in edge and VPN gadgets were completely resolved throughout the year. Remediation has a 32-day median time, showcasing the tough time companies have with resolving vulnerabilities in edge devices.
There were more ransomware attacks last year, with 44% confirmed breaches due to ransomware. It was just 37% the previous year. Threat actors commonly use ransomware in cyberattacks on SMEs (88%) instead of big companies (44%). Although there were more attacks, the number of victims giving ransom payments and the amount paid dropped. In 2024, 36% of victims paid the ransom compared to 50% the previous year. The median ransom payment was $115,000 compared to $150,000 the previous year.
While it is hard to ascertain the extent of data theft achieved by the stealer malware. Based on the analysis of infostealer credential records, 30% of the breached systems were organization-licensed devices, while 46% were non-licensed, which means they are utilized with the BYOD program or beyond permissible policy. 54% of ransomware attack victims found their domains in credential dumps, while 40% saw their company email addresses included in breached credentials. This means that their credentials were used in ransomware attacks through initial access brokers.
The number of breaches with human factor involvement remained at around 60% of all breaches year-over-year. Breaches involving a third party notably increased from 15% (2023) to 30% (2024). Cyberespionage occurrences likewise increased substantially in 2024, resulting in 17% of breaches. 70% of cyberespionage breaches exploit vulnerability as the preliminary access vector. Usually, cyberespionage occurrences conducted by nation-state actors were focused on data theft, but this year, 3 of 10 attacks were financially motivated, particularly attacks by North Korea and Iran threat actors.
Verizon’s information consists of 1,710 security incidents at HIPAA-covered healthcare companies and 1,542 healthcare breaches. In 2024, miscellaneous issues accounted for most of the breaches; however decreased significantly while system attacks increased. 67% of breaches were associated with external threat actors, 30% were due to insiders, 4% were by partners, and 1% were by multiple actors. Most attacks on the industry (90%) were financially driven, though 16% involved a surveillance objective. The rise in espionage as a purpose is alarming. 1% of data breaches in 2023 had an espionage motive. The number jumped to 16% in 2024. Verizon states that espionage-centered attacks can be performed by a new kind of threat actor that is more difficult to trace than ransomware groups.
The Everything Else category, where breaches are categorized when they don’t fit any of the categories, has also increased in 2024. Data concerning healthcare data breaches is usually acquired from breach notification letters, which normally do not have enough details about the reason for the breach. From a breach victim’s perspective, they are not provided enough data to evaluate the degree of risk they face.
