It’s here! The Verizon’s 18th annual Data Breach Investigations Report (DBIR)! Whether you’re a seasoned cybersecurity professional or new to the field, this report offers a comprehensive look at the cybercrime landscape and provides insights to help protect your organization.
Listen to an AI created overview:
A Legacy of Insight: The DBIR and VERIS
For nearly two decades, the DBIR has served as a vital resource for understanding the trends and patterns in data breaches and security incidents. What sets this report apart is its breadth of data collection, drawing on anonymized cybersecurity incident data from almost a hundred data contributors globally, including incident response firms, forensics companies, law enforcement, and cyber insurance providers. This collaborative effort aims to get closer to the “Truth” of what is happening in the threat landscape.
A critical foundation for the DBIR’s statistical analysis is the Vocabulary for Event Recording and Incident Sharing (VERIS) framework. This year marks the 15th anniversary of the VERIS framework, which was introduced in 2010 and has become essential for collecting and analyzing incident data from disparate sources. Organizations across industries and the Public Sector leverage versions of VERIS for security incident recording and risk management. The report sections are often structured around the four main components of the VERIS framework: Actors, Actions, Assets, and Attributes.
Navigating the Latest Findings
The 2025 DBIR analyzed more than 12,000 breaches and 22,052 security incidents. The analysis in this edition primarily focuses on incidents that took place between November 1, 2023, and October 31, 2024. The report is organized into sections covering overall results and analysis, incident classification patterns, specific industries, focused analysis on small- and medium-sized businesses (SMBs) and the Public Sector, and regional analysis.
Key Takeaways from the 2025 DBIR
This year’s report highlights several overarching themes and persistent challenges in the threat landscape. Here are some of the top takeaways:
- Third-Party Involvement is Soaring: A significant theme woven throughout this year’s report, and even featured on the cover, is the increasing role of third parties in breaches. The report found some form of third-party involvement in 30% of all analyzed breaches, a notable increase from roughly 15% last year. System Intrusion is the most prevalent pattern seen in breaches involving a third party. Managing credentials in environments you don’t control and considering vendor security limitations are crucial. Organizations are advised to make positive security outcomes from vendors an important part of procurement and have plans for repeat offenders.
- Top Incident Classification Patterns: For 2025 data, the most prevalent Incident Classification Patterns in breaches were System Intrusion (53%), followed by Miscellaneous Errors (12%), Social Engineering (17%), Basic Web Application Attacks (12%), and Privilege Misuse (6%).
- Ransomware Remains a Scourge: Ransomware continues to be a major problem, growing yet again as a percentage of breaches. It accounts for 75% of breaches within the System Intrusion pattern. Ransomware affects organizations across all industries and does not discriminate based on industry vertical. The most prevalent discovery method for ransomware breaches is Actor disclosure, where the threat actor notifies the victim (and often others) by dropping a ransom note.
- The Enduring Problem of Stolen Credentials: Credential abuse is consistently identified as a top initial access vector. The Basic Web Application Attacks pattern heavily involves the Use of stolen credentials (88%), sometimes alongside brute force attacks. The report delves into the ecosystem of stolen credentials available via infostealers and online marketplaces. An estimated 30% of compromised systems found in these marketplaces are believed to be Enterprise-licensed devices. Data suggests that leveraging stolen credentials from infostealers is a key tactic used by some ransomware operators; for instance, 54% of ransomware victims examined had their domains in infostealer logs or marketplace postings, with 40% of those logs containing corporate email addresses.
- Edge Device Vulnerabilities Exploited Rapidly: Exploitation of vulnerabilities, particularly those targeting edge devices, is a growing concern. While organizations are prioritizing patching these edge vulnerabilities (54% are fully remediated compared to 38% for all CISA KEVs and 9% for all vulnerabilities identified in scans), the threat is the speed of exploitation. The median time for a vulnerability in the sampled edge device subset to be mass exploited after its CVE publication was zero days.
- The Human Element Persists: The human element continues to play a significant role in breaches. Beyond traditional phishing and pretexting, the report notes the emergence of Prompt bombing, where users are bombarded with MFA login requests, showing up in over 20% of Social attacks this year. User awareness and security training focused on reporting suspect social attacks remain one of the most important controls.
- Generative AI’s Emerging Role: While GenAI hasn’t revolutionized the threat landscape overnight, there is evidence of its use by threat actors, as reported by the AI platforms themselves. Notably, the amount of synthetically generated text in malicious emails has doubled over the past two years. Corporate data leakage is a concern, as employees access GenAI systems on corporate devices, often outside of integrated authentication systems.
- SMBs are Not Exempt from Ransomware: Contrary to a common misconception, ransomware groups actively target small- and medium-sized businesses just like large organizations, adjusting their ransom demands accordingly. SMBs may also be less likely to have robust backups. A single breach at a small entity, depending on the data they handle, can have a massive impact on data victims.
- Public Sector Faces Persistent Threats: The Public Sector continues to face significant challenges. Ransomware remains a major threat, involved in 30% of breaches across all levels of government. Miscellaneous Errors, such as Misdelivery, are also persistent issues. The top three patterns in Public Sector breaches remain consistent over time regardless of the size of the attacked entity.
To effectively achieve a reasonable level of security in our interconnected world, collaboration, transparency, and increased information sharing are essential. This report is a testament to the hard work and collaboration of human threat intelligence professionals and contributing organizations.
Explore the full report for detailed analysis, industry-specific insights, regional breakdowns, and valuable mitigation strategies.
Download the Verizon 2025 Data Breach Investigations Report today!