Verizon Reports Surge in Breaches Tied to Edge Devices

Data Breach Notification
,
Data Security

Ransomware Attack Volume Rises But Ransom Payments Fall, Finds Latest Verizon DBIR

Mathew J. Schwartz (euroinfosec) •
April 23, 2025    

See Also: Incident Ready: Strategies for Cryptography

More vulnerabilities are being exploited than ever before to gain initial access. The Wednesday report shows that a fifth of breaches last year – up by one-third from the year before, when they also rose – traced to hackers first exploiting a vulnerability.

“Organizations worked very hard to patch those edge device vulnerabilities, but our analysis showed only about 54% of those were fully remediated throughout the year, and it took a median of 32 days to accomplish,” the report says (see: Hacker Tactics: Exploiting Edge Devices, Missing Multifactor).

This year’s 18th annual DBIR is based on 22,052 real-world security incidents that occurred across 139 countries from Nov. 1, 2023, through Oct. 31, 2024. The information has been gathered from Verizon Business’s own investigations as well as thanks to anonymized data shared by a network of partners, including the FBI, Britain’s National Crime Agency, the EU’s CERT-EU cybersecurity service and numerous vendors and other organizations.

Of those incidents, a record-setting 12,195 were to be confirmed data breaches, defined by the report as meaning the data was exposed “to an unauthorized party.”

Many of the non-breach incidents still had a significant impact. “When we created the report years ago, we named it the Data Breach Investigations Report, because largely the big thing everyone cared about was, if your data gets exposed, there’s fines, penalties, regulatory impact and that’ll obviously still exist today,” said Chris Novak, vice president of global cybersecurity solutions at Verizon Business.

At the same time, organizations in manufacturing, energy and utility sectors in particular have networks that touch on operational technology and internet of things devices. If any of them go down and cause disruptions – for example, of a manufacturing line – “that may be more impactful to my business than if employee data was compromised or financial data was compromised,” Novak told Information Security Media Group.

When a data breach occurs, credential theft remains the dominant initial-access tactic, tied to 22% of known breaches, followed by vulnerability exploitation for 20% of breaches and phishing attacks for 16%, the report says.

Many breaches appear to trace to information-stealing malware. Based on studies of infostealer log data being offered for sale, 30% of systems compromised by infostealers appeared to be enterprise-managed devices, while 46% of compromised systems appear to be employee-managed devices also used for work purposes, for example, via a BYOD program, the report says.

Ransomware Remains a Threat

How many ransomware attacks trace to credentials gleaned via infostealers isn’t clear, although anecdotal evidence suggests there’s a significant correlation. “By examining some of the victims posted to the ransomware extortion sites, we found that 54% of the victims had their domains show up in at least one infostealer log or in marketplace postings and 40% of those logs contained corporate email addresses,” the report says.

Ransomware was a component last year in 44% of all breaches – although 39% of breaches involving large organizations, versus 88% involving small and midsize organizations, highlighting differences in cyberdefense maturity and resilience.

One welcome finding: researchers found only one-third of victims paid a ransom, compared to 50% the year before. When a victim paid, they paid less than before too, with the median payment dropping from $150,000 to $115,000.

Rise in Cyberespionage

The researchers said 17% of breaches – likely an underreporting – appeared to be driven by cyberespionage, based on the tools, tactics and procedures employed, and their being tied to known nation-state hacking groups. This level of cyberespionage was a “significant” rise from the last report, and unusually, 28% of the incidents appeared to also include a financial motive.

“Historically, a lot of times we’ve seen state-sponsored attacks being purely just espionage-motivated,” Novak said. “Typically, it’s about stealing state secrets or having the ability to conduct sabotage on a power plant or something like that. It was more about being able to have a finger on a button if you need to push it, versus stealing data to enrich yourself, because most of the time, from a nation-state perspective, it’s not about the monetary elements.”

Novak said attacks with both a cyberespionage and financial motive appeared to trace more to attackers aligned with either North Korea or Iran, and reflected “the general geopolitical frothiness of the world right now,” which he said is “contributing to new dynamics.”

AI Concerns

The past year has seen a marked increase in the use of artificial intelligence tools – including large language models used to build chatbots – and researchers said they also pose a rising data breach risk.

Multiple organizations have approached Verizon Business for help after suffering “mostly self-inflicted” breaches, oftentimes due to “organizations that either have little or no policy, or little or no governance, or little or no monitoring around how it’s working,” Novak said.

What types of breaches have ensued? “The craziest one I probably saw was where an organization’s HR team uploaded all their HR data and wanted to see if it could give them interesting insights into their hiring profiles and their compensation data,” he said. In another case, a pharmaceutical scientist used an AI tool to see if it could accelerate his research. His company only realized that this “exposed intellectual property on some new molecule they were working on that was not public knowledge yet.”