Verizon 2025 DBIR Key Findings: Data Breach Trends and Cybersecurity Insights

Understanding the Verizon 2025 DBIR Scope and Methodology

The Verizon 2025 Data Breach Investigations Report stands as the most comprehensive cybersecurity analysis ever published in the report’s eighteen-year history. With 22,052 real-world security incidents and 12,195 confirmed data breaches spanning 139 countries, this year’s edition provides an unprecedented view into the global threat landscape. The data draws from Verizon’s own Threat Research Advisory Center case files, contributions from global cybersecurity partners, and publicly disclosed security incidents cataloged using the North American Industry Classification System.

What makes the 2025 DBIR particularly significant is the scale of confirmed breaches. The 12,195 confirmed breach figure represents the highest number ever analyzed in a single report, giving security professionals and organizational leaders a statistically robust foundation for strategic decision-making. The report classifies incidents into distinct patterns — System Intrusion dominating at 53% (up from 36%), followed by Social Engineering at 17%, Miscellaneous Errors at 12%, and Basic Web Application Attacks at 12%. This shift toward System Intrusion reflects the increasingly sophisticated nature of threat actors who combine multiple techniques to achieve their objectives.

For organizations seeking to understand their cybersecurity posture relative to industry benchmarks, the DBIR’s methodology provides actionable context. Unlike vendor-specific threat reports that may carry inherent biases, Verizon’s multi-source approach offers a more balanced perspective. Security teams can leverage these findings to prioritize investments, justify budget requests, and align defensive strategies with the threats most likely to impact their specific industry and region. Reports like the Deloitte manufacturing cybersecurity analysis complement the DBIR’s findings with sector-specific deep dives.

Credential Abuse and Vulnerability Exploitation Trends

The 2025 DBIR reveals a significant evolution in how attackers gain initial access to organizational networks. Among non-error, non-misuse breaches (n=9,891), credential abuse remains the leading initial access vector at 22%, but exploitation of vulnerabilities has surged to 20% — representing a 34% increase from the previous year. Phishing rounds out the top three at 16%, maintaining its position as a persistent social engineering threat.

The near-convergence of credential abuse and vulnerability exploitation marks a watershed moment in cybersecurity. For years, stolen credentials dominated the initial access landscape, with exploitation of vulnerabilities trailing significantly behind. The 2025 data suggests that organizations face a dual threat requiring simultaneous investment in both identity security and vulnerability management programs. This trend aligns with findings from the NIST National Vulnerability Database, which has documented a steady increase in the number of published CVEs year over year.

The practical implication is clear: organizations can no longer rely solely on password policies and multi-factor authentication to prevent breaches. While credential hygiene remains essential, the rapid growth in vulnerability exploitation demands equal attention to patch management, especially for internet-facing assets. The median time to remediate vulnerabilities stands at 32 days — a window that sophisticated threat actors routinely exploit. Security teams must adopt risk-based vulnerability prioritization, focusing remediation efforts on assets with the highest exposure and business criticality.

Furthermore, the convergence of these attack vectors creates compounding risk. Attackers who exploit a vulnerability to gain initial access often pivot to credential harvesting within the compromised environment, enabling lateral movement and persistence. This chain of events frequently culminates in ransomware deployment or data exfiltration, making early detection and rapid response capabilities essential components of any modern security program.

Ransomware Growth: Statistics and Payment Trends

Ransomware continues its relentless expansion across the threat landscape. The 2025 DBIR reports ransomware present in 44% of all breaches reviewed, a dramatic increase from 32% the previous year — representing a 37% year-over-year surge. This growth trajectory, which has seen ransomware climb from approximately 10% of breaches around 2021 to its current 44%, shows no signs of plateauing and represents one of the most significant cybersecurity challenges facing organizations worldwide.

However, the economics of ransomware are shifting in ways that offer cautious optimism. The median ransom payment has declined to $115,000, down from $150,000 the previous year — a 23% reduction. More importantly, 64% of victim organizations chose not to pay ransoms, up from 50% two years ago. This growing resistance to ransom payments reflects improved organizational preparedness, better backup strategies, and increasing awareness that payment does not guarantee data recovery or prevent future attacks.

The disproportionate impact on small and medium businesses demands particular attention. Ransomware appeared in a staggering 88% of SMB breaches, compared to 39% for larger organizations. This disparity highlights the resource gap that smaller companies face in implementing robust cybersecurity defenses. SMBs often lack dedicated security teams, advanced endpoint protection, and tested incident response plans — making them attractive targets for ransomware operators who calculate that these organizations are more likely to pay quickly to resume operations. Research from CISA’s StopRansomware initiative provides free resources specifically designed to help smaller organizations build resilience against these attacks.

Third-Party Risk and Supply Chain Breaches

Perhaps the most alarming finding in the 2025 DBIR is the dramatic escalation of third-party involvement in data breaches. A full 30% of breaches involved a third party — including software vulnerabilities, partner ecosystem compromises, and supply chain attacks — doubling from 15% the previous year. This doubling represents a fundamental shift in the threat landscape that requires organizations to rethink their approach to vendor and partner security management.

The third-party risk problem extends well beyond traditional vendor management questionnaires and annual security assessments. The DBIR reveals that the median time to remediate leaked secrets discovered in GitHub repositories stands at a concerning 94 days. This means that when developer credentials, API keys, or configuration secrets are accidentally committed to public or shared repositories, organizations have a nearly three-month window of exposure during which attackers can discover and exploit these credentials.

Modern software development practices — with their heavy reliance on open-source libraries, cloud services, and continuous integration pipelines — create an expansive attack surface that traditional security perimeters cannot adequately protect. Each software dependency, cloud API integration, and third-party service connection represents a potential entry point for attackers. The doubling of third-party involvement in breaches suggests that threat actors are increasingly targeting these interconnections, recognizing that a single compromise in a widely-used software library or service can cascade across thousands of downstream organizations.

To address this growing risk, organizations need to implement continuous monitoring of their third-party ecosystem, including automated scanning for exposed credentials, software composition analysis for vulnerable dependencies, and real-time assessment of vendor security posture. The shift from point-in-time assessments to continuous third-party risk monitoring is no longer optional — it is a business imperative driven by the data in this report. Understanding these findings through interactive formats can accelerate organizational awareness; the cybersecurity risk assessment interactive guide offers a practical framework for getting started.

Edge Device and VPN Security Vulnerabilities

One of the most dramatic findings in the 2025 DBIR is the explosive growth in attacks targeting edge devices and VPNs. These perimeter technologies — which include firewalls, VPN concentrators, and other network gateway appliances — saw targeting increase almost eight-fold, jumping from 3% to 22% of all vulnerability exploitation actions. This trend reflects a strategic shift by threat actors toward the devices that sit at the boundary between internal networks and the internet.

The appeal of edge devices to attackers is straightforward: these systems are internet-facing by design, often run with elevated privileges, and frequently lack the endpoint detection and response capabilities deployed on servers and workstations. When a zero-day vulnerability is discovered in a popular VPN appliance or firewall, attackers can scan the entire internet to identify vulnerable instances and launch exploitation campaigns at scale. The 2025 DBIR data confirms that this is exactly what threat actors have been doing, with devastating effectiveness.

Compounding this problem is the remediation gap. The report reveals that only approximately 54% of edge device vulnerabilities were fully remediated throughout the year, with a median remediation time of 32 days. This means that nearly half of known vulnerabilities in perimeter devices remain unpatched, creating persistent attack surfaces that adversaries can exploit repeatedly. The CISA Known Exploited Vulnerabilities Catalog provides a prioritized list of vulnerabilities that should be remediated first.

Organizations must prioritize edge device security as a critical component of their defensive strategy. This includes implementing aggressive patching schedules for perimeter devices, deploying network segmentation to limit the blast radius of a compromised edge device, and establishing monitoring capabilities specifically designed to detect exploitation attempts against these assets. Where possible, organizations should also evaluate whether legacy VPN architectures can be replaced with zero-trust network access solutions that reduce reliance on perimeter-based security controls.

Industry-Specific Data Breach Patterns

The 2025 DBIR provides granular insights into how data breaches manifest differently across industries, enabling sector-specific security strategies. Manufacturing experienced the most dramatic shift, with espionage-motivated breaches surging from 3% to 20% — roughly a seven-fold increase. Over 90% of breached manufacturing organizations were SMBs with fewer than 1,000 employees, and internal data (sensitive plans, engineering reports, proprietary communications) was the most commonly stolen data type at 64% of breaches.

Healthcare saw 1,710 incidents and 1,542 confirmed breaches, with System Intrusion — including ransomware — overtaking Miscellaneous Errors as the top breach pattern. This transition is significant because it indicates that healthcare organizations, while historically plagued by accidental data exposure, now face predominantly intentional and sophisticated attacks. Medical data was compromised in 45% of healthcare breaches, with financial motivation driving 90% of incidents. The rise of espionage-motivated attacks in healthcare (16%) is particularly concerning given the sensitive nature of patient data and research information.

Financial services reported 3,336 incidents with 927 confirmed breaches, maintaining System Intrusion as the dominant pattern. The sector saw personal data compromised in 54% of breaches and credentials exposed in 22%. Meanwhile, the public sector experienced ransomware in 30% of breaches across all levels of government, with misdelivery remaining the leading error type. Retail saw an interesting evolution: the focus of attacks shifted away from payment card data toward other data types, with internal data compromised in 65% of retail breaches compared to just 12% involving payment information.

Among the additional industry verticals analyzed, utilities stands out with a remarkable 66% espionage motive — the highest of any sector. The Information sector reported 36% espionage-motivated attacks, and even traditionally lower-risk sectors like construction (23%) and entertainment (18%) showed non-trivial espionage activity. These findings suggest that state-sponsored actors are casting a wider net across industries, seeking intellectual property, strategic intelligence, and operational leverage wherever opportunities arise.

Espionage-Motivated Cybersecurity Threats

The 2025 DBIR documents a significant increase in espionage-motivated breaches, which now account for 17% of all breaches (n=8,045). This rise reflects both changes in contributor makeup and a genuine expansion of state-sponsored cyber operations across multiple sectors and geographies. Notably, espionage-motivated breaches relied on exploitation of vulnerabilities as their initial access vector a striking 70% of the time — far exceeding the overall average.

An intriguing finding is the apparent dual-motivation pattern among state-sponsored actors. Approximately 28% of incidents involving state-sponsored threat actors had a financial motive alongside their espionage objectives. This “double-dipping” suggests that some nation-state operators are monetizing their access through ransomware deployment or data theft for financial gain, blurring the traditional line between espionage and cybercrime. This convergence complicates attribution and incident response, as organizations must consider both intelligence-gathering and financially motivated threat models.

Regional variations in espionage activity are pronounced. The Asia-Pacific region reported espionage motivation in 34% of breaches, the highest of any region, while Latin America and the Caribbean saw 27%. EMEA reported 18% espionage motivation, and North America, despite its high incident volume, had the lowest espionage percentage at 9% — though this still represents a substantial number of breaches given the region’s 6,361 total incidents. As noted by the Office of the Director of National Intelligence, state-sponsored cyber operations continue to evolve in sophistication and scope.

For organizations operating in sectors with elevated espionage risk — particularly utilities (66%), information technology (36%), other services (31%), and manufacturing (20%) — the implications are substantial. These entities must adopt threat-informed defense strategies that account for the persistence, resource levels, and technical capabilities of state-sponsored actors. This includes deploying advanced threat detection tools, implementing rigorous access controls, conducting regular threat hunting exercises, and maintaining close relationships with government cybersecurity agencies that can share threat intelligence relevant to their sector.

Generative AI and Emerging Threat Vectors

The 2025 DBIR addresses the growing role of generative AI in the cybersecurity threat landscape, providing data-driven insights that cut through both hype and dismissiveness. The report found that synthetically generated text in malicious emails has doubled over the past two years, indicating that threat actors are actively leveraging AI to enhance their phishing and social engineering campaigns. While AI has not yet fundamentally transformed the threat landscape, its adoption by attackers is measurable and accelerating.

On the defensive side, the DBIR highlights significant organizational risks associated with employee use of generative AI systems. The report reveals that 15% of employees routinely accessed GenAI systems on corporate devices — defined as at least once every fifteen days. Among these users, the security implications are concerning: 72% used non-corporate email addresses as their account identifiers, 17% used corporate emails without integrated authentication systems, and only approximately 11% used corporate emails with proper integrated authentication.

This usage pattern creates multiple risk vectors. Employees using personal email accounts to access AI services may be uploading sensitive corporate data — including code, documents, strategic plans, and customer information — to platforms outside the organization’s security perimeter and data governance framework. Without corporate authentication integration, organizations lack visibility into what data is being shared with AI services and cannot enforce data loss prevention policies. The gap between AI adoption speed and security policy implementation represents a growing area of exposure that most organizations have yet to adequately address.

Forward-looking security programs should implement comprehensive AI governance frameworks that include approved AI tool lists, data classification policies for AI interactions, monitoring of AI service usage across corporate devices, and employee education about the risks of sharing sensitive information with external AI platforms. Organizations that embrace AI strategically while managing its risks will be better positioned than those that either ban AI use entirely or ignore the security implications. The AI governance enterprise guide provides a practical starting framework for building these capabilities.

Infostealer Malware and Credential Hygiene

The 2025 DBIR sheds light on the growing threat of infostealer malware and its role in enabling broader cyberattacks. The report found that 30% of compromised systems appearing in infostealer logs were identifiable as enterprise-licensed devices, indicating that corporate environments are heavily represented in credential theft operations. Even more concerning, 46% of compromised systems with corporate login credentials were non-managed devices — likely personal computers or BYOD devices that hosted both personal and business credentials.

The link between infostealers and ransomware is particularly noteworthy. Among ransomware victims whose data was disclosed in 2024, 54% had their organizational domains appear in credential marketplace dumps, and 40% had corporate email addresses among the compromised credentials. This correlation suggests that stolen credentials from infostealer operations are being sold through access broker marketplaces and subsequently used by ransomware operators to gain initial access to victim networks.

The BYOD credential commingling problem represents a systemic challenge. When employees use personal devices to access corporate resources — or when corporate devices are used for personal activities — the resulting mixture of credentials creates opportunities for attackers to pivot from consumer-grade compromises into corporate environments. An infostealer infection on a personal device that also contains corporate VPN credentials, email passwords, or cloud service tokens can provide direct access to organizational resources without triggering corporate security controls.

Addressing the infostealer threat requires a multi-layered approach: implementing passwordless authentication where possible, deploying endpoint detection and response on all devices accessing corporate resources, monitoring dark web and credential marketplace intelligence for organizational exposure, enforcing device compliance requirements for corporate resource access, and educating employees about the risks of credential reuse across personal and professional contexts. Organizations should also consider implementing hardware security keys or FIDO2-compliant authentication methods that are resistant to credential theft by design.

Building Cyber Resilience: Lessons from the 2025 DBIR

The Verizon 2025 DBIR paints a picture of a threat landscape that is growing more complex, more interconnected, and more impactful with each passing year. The record number of confirmed breaches, the surge in ransomware, the doubling of third-party risk, and the explosive growth in edge device exploitation collectively demand that organizations fundamentally reassess their cybersecurity strategies. Incremental improvements to existing programs are no longer sufficient to address the scale and sophistication of modern threats.

Building genuine cyber resilience requires organizations to adopt a risk-based approach that prioritizes the threats most likely to impact their specific industry, geography, and technology environment. The DBIR data provides the statistical foundation for this prioritization. A manufacturing company should weight espionage-driven threats and intellectual property protection more heavily than a financial services firm, which should focus on credential protection and application security. Healthcare organizations must address the dual challenge of ransomware defense and regulatory compliance, while public sector entities need to account for both financially motivated attacks and state-sponsored operations.

The human element, present in 60% of breaches, underscores that technology alone cannot solve the cybersecurity challenge. Organizations must invest in security awareness programs that go beyond annual compliance training to build genuine security culture. This includes regular phishing simulations, incident response tabletop exercises, role-specific security training for developers and IT administrators, and executive education programs that ensure leadership understands and supports the organization’s security posture.

Ultimately, the 2025 DBIR demonstrates that cybersecurity is not merely a technical problem — it is a business risk that requires strategic leadership, adequate investment, and organizational commitment. The organizations that will weather the coming years most effectively are those that treat cybersecurity as a core business function, integrate security considerations into every aspect of their operations, and build the resilience to detect, respond to, and recover from the inevitable breach. As the report’s data makes clear, it is no longer a question of whether an organization will face a significant cyber incident, but when — and how prepared it will be to respond.