2025 Verizon Data Breach Investigations Report (DBIR)

https://www.verizon.com/business/resources/T110/reports/2025-dbir-data-breach-investigations-report.pdf

2025 Verizon Data Breach Investigations Report (DBIR), organized into topics and tables where appropriate:

1. Key Findings

• Third-Party Involvement: Third-party relationships play a significant role in how and why breaches occur. This has become a widespread issue, with software vendors unintentionally increasing the attack surface.

• Exploitation of Vulnerabilities: This remains a significant initial access vector for breaches, growing to 20% and approaching the frequency of credential abuse. There was a notable rise in exploits targeting edge devices and VPNs.

• Ransomware: Ransomware continues to be a prevalent issue, increasing as a percentage of breaches.

• Credential Abuse: Credential abuse remains the most common initial access vector.

• Initial Access Vectors:

  | Initial Access Vector | Percentage |

  | :-------------------------- | :--------- |

  | Credential Abuse | 22% |

  | Exploitation of Vulnerabilities | 20% |

  | Phishing | 16% |

  • Exploitation of vulnerabilities has increased, while phishing has decreased.

• Infostealer Malware:

  • Analysis of infostealer malware logs shows that a significant percentage of compromised systems were enterprise-licensed devices.

  • A large percentage of compromised systems with corporate logins were non-managed, likely due to BYOD practices.

  • A notable percentage of victims disclosed by ransomware actors had their domains or corporate email addresses appear in infostealer credential dumps.

2. Report Structure and Methodology

• Sections: The report is divided into three main sections:

  • Results and Analysis: Focuses on the overall trends and data.

  • Incident Classification Patterns: Subdivides data into common incident types.

  • Industries, Focused Analysis, and Regions: Provides specific analysis for different sectors and areas, including SMBs and the Public Sector.

• VERIS Framework: The report uses the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to standardize the collection and analysis of incident data.

• Key VERIS Terms:

  • Threat Actor: The entity behind the event.

  • Threat Action: The tactics used to affect an asset (e.g., Malware, Hacking, Social Engineering).

  • Variety: More specific classifications of threat actions.

• Incident vs. Breach:

  • Incident: A security event that compromises confidentiality, integrity, or availability.

  • Breach: An incident resulting in confirmed disclosure of data to an unauthorized party.

• Data Set: The 2025 DBIR analyzed 22,052 security incidents, with 12,195 confirmed data breaches.

• Uncertainty in Data: The report emphasizes the inherent uncertainty in cybersecurity data through its visualizations.

3. Incident Classification Patterns

• The report categorizes incidents into patterns like System Intrusion, Social Engineering, and Denial of Service.

• System Intrusion: Ransomware is a key issue within this pattern.

• Social Engineering: Phishing and credential abuse are significant factors.

• Basic Web Application Attacks: These attacks often involve stolen credentials.

• Denial of Service (DDoS): DDoS attacks are increasing in size and complexity.

4. Vulnerability Remediation

• Organizations face challenges in remediating vulnerabilities, particularly those affecting edge devices.

• There's often a significant time gap between the disclosure of a vulnerability and its remediation.

5. Third-Party Risks

• The report highlights the growing risk posed by third-party involvement in breaches.

• Third parties can increase the attack surface for organizations.