Verizon DBIR: Surge in Vulnerability Exploitation and Healthcare Espionage Breaches
The Verizon 2025 Data Breach Investigations Report has revealed a sharp rise in vulnerability exploitation for initial access to victim networks, which increased by 34% to 20% of all breaches, almost as many as the 22% involving compromised credentials. Phishing was the third most common initial access vector, used in 16% of all breaches.
Verizon has been publishing its DBIR reports for 18 years, and this year’s report is based on 22,052 security incidents in 139 countries between November 1, 2023, and October 31, 2024. The data comes from the investigations conducted by the Verizon Threat Research Advisory Center and anonymized data provided by partners such as the Federal Bureau of Investigation, the UK National Crime Agency, CERT-EU, and several others. The data for the report includes security incidents and breaches, with the former consisting of a security event that compromises the integrity, confidentiality, or availability of an information asset, whereas a breach involves unauthorized data access. Out of the 22,052 security incidents included in the data, 12,195 were confirmed breaches involving unauthorized access to sensitive data.
The increase in vulnerability exploitation was driven, in part, by zero-day exploits to gain access to edge and VPN devices, which accounted for 22% of all vulnerability exploitation incidents, up from 3% the previous year. Verizon reports that only about 54% of vulnerabilities in edge and VPN devices were fully remediated throughout the year, with a 32-day median time for remediation, highlighting the difficulty organizations have with fixing vulnerabilities in edge devices.
Ransomware attacks increased last year, with ransomware used in 44% of confirmed breaches, an increase of 37% from the previous year. Ransomware was much more commonly used in cyberattacks on small and medium-sized organizations (88%) rather than large organizations (44%). While attacks increased, the number of victims paying ransoms decreased, as did the amount paid. In 2024, 36% of victims of ransomware attacks paid the ransom, down from 50% the previous year, and the median ransom payment dropped from $150,000 to $115,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While it is difficult to determine the extent to which information stealer malware is used to steal credentials, an analysis of infostealer credential logs showed 30% of the compromised systems were enterprise-licensed devices, although 46% were non-managed, which suggests they are used under a BYOD program or outside of permissible policy. 54% of victims of ransomware attacks had their domains show up in credential dumps, and 40% of victims had corporate email addresses as part of the compromised credentials, which suggests that those credentials may have been leveraged in ransomware attacks and hint at initial access broker involvement.
The number of breaches involving the human factor has remained fairly consistent year-over-year at around 60% of all breaches. There was a notable rise in breaches involving a third party, which increased from 15% in 2023 to 30% in 2024. Cyberespionage incidents also increased considerably last year, and accounted for 17% of breaches, with 70% of cyberespionage breaches using vulnerability exploitation as the initial access vector. Traditionally, cyberespionage incidents by nation state actors have been solely concerned with information theft; however, this year, almost 3 out of 10 of those attacks also involved a financial motive, especially attacks by threat actors from North Korea and Iran.
Verizon’s data includes 1,710 security incidents at healthcare organizations and 1,542 healthcare breaches. Last year, miscellaneous errors accounted for the majority of breaches, but declined considerably in 2024, as system intrusions increased. 67% of breaches were attributed to external actors, 30% by insiders, 4% by partners, and 1% involved multiple actors. The vast majority of attacks on the sector (90%) were financially motivated, although 16% involved an espionage motive. The increase in espionage as a motive is a concern. There was an espionage motive in 1% of breaches in 2023, and a massive jump to 16% in 2024. Verizon warns that espionage-focused attacks could be conducted by a new type of threat actor, one that is harder to detect than the ransomware groups that have plagued the industry for years.
Patterns in healthcare data breaches. Source: Verizon 2025 DBIR
As the spaghetti chart shows, there was a significant increase in the Everything Else category in 2024, to which breaches are placed when they do not fit into any of the other categories, often due to a lack of information. Information about healthcare data breaches is often gained from breach notification letters, which often lack any significant information about the cause of the breach, a trend that The HIPAA Journal has reported frequently. From the perspective of a breach victim, they are not given sufficient information to gauge the level of risk they face, and from a classification perspective, it is difficult to determine the nature of these incidents, and therefore, the best steps the industry can take to address the most common causes of breaches.
