Verizon 2025 DBIR: Third-Party Involvement in Confirmed Security Breaches Doubled
Do you know how secure your vendors are? Are you sure?
Those questions are top of mind after Verizon released its 2025 Data Breach Investigations Report (DBIR) this week, finding that third-party involvement in breaches has doubled to 30 percent.
“Although the involvement of the human element in breaches remained roughly the same as last year, hovering around 60 percent, the percentage of breaches where a third party was involved doubled, going from 15 percent to 30 percent,” according to the report, now in its 18th iteration. “There were notable incidents this year involving credential reuse in a third-party environment—in which our research found the median time to remediate leaked secrets discovered in a GitHub repository was 94 days.”
In a webinar following the report’s release, Alex Pinto, associate director of threat intelligence at Verizon who leads the DBIR research effort, said that a lot of the themes in the 2025 DBIR are built around third-party involvement in incidents and breaches.
“This number includes software vulnerabilities—quote unquote software supply chain—as again, your choice of vendor influences if you are vulnerable or not,” Pinto explained. “We’re really looking at all different aspects of vendor-organizational relationship to make this number.”
Pinto doubled down on calling the trend notable and something that the research team will continue to track.
“We all do business with third parties, but again this interconnectedness is being exploited more and more as we try to do our business and are rudely interrupted by incidents and breaches,” Pinto adds.
The Quick Rundown
Verizon researchers reviewed 22,052 incidents and 12,195 breaches from 139 countries between 1 November 2023 and 31 October 2024 for this latest report. As a note, the DBIR defines incidents and breaches as the following:
- Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.
- Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
Threat actors. What methods did threat actors use to breach organizations? Top of the list was ransomware (44 percent), followed by stolen credentials (32 percent), exploitation of vulnerabilities (18 percent), phishing (14 percent), and backdoors (14 percent).
External threat actors are increasingly espionage-motivated, accounting for 17 percent of the total breaches reviewed and representing a 163 percent increase from the prior review. Motives for state-sponsored actors in incidents, for instance, were espionage (74 percent), financial (28 percent), and secondary (26 percent).
The DBIR authors explained that this growth was mainly attributed to public cases of espionage and could also be due to the current state of geopolitical tensions worldwide.
“But even as espionage has taken our external actor motives by storm, it would be premature to exclusively associate this to the much-maligned state-sponsored actors (which accounted for 15 percent of external actor varieties,” the DBIR said.
And what were threat actors most interested in acquiring after breaching an organization? Internal data (50 percent), followed by personal data (32 percent), credentials (19 percent), system data (12 percent) and secrets (12 percent).
This year’s DBIR has several key trends that should be top of mind for the ASIS International audience, says Michael Centrella, assistant director of the U.S. Secret Service’s Office of Operations and an ASIS member.
“First, the continued dominance of credential-based attacks and phishing underscores the urgent need for improved identity protection and user awareness training,” Centrella explains. “Second, the rise in supply chain compromises reveals that security perimeters are increasingly porous—emphasizing the need for third-party risk management. Lastly, ransomware remains prevalent, but the report shows a shift toward extortion without encryption—this evolution requires incident response playbooks to adapt accordingly.”
Sector risks. The manufacturing sector was a particularly attractive target for threat actors during the review period, with 3,807 incidents and 1,607 breaches—up from just 849 in the prior report.
“Although the majority of threat actors we see targeting this vertical continue to be financially motivated external actors (87 percent), it is quite interesting that approximately one-fifth (20 percent) of manufacturing breaches had the motive of espionage (compared to only 3 percent last year),” according to the DBIR.
The financial and insurance sector was also a popular target (3,336 incidents and 927 breaches), along with healthcare (1,702 incidents and 1,542 breaches) which is lucrative for threat actors seeking to carry out ransomware attacks.
“Healthcare continues to be a favorite target for this kind of attacker, and the urgent need for access to data in emergency situations only adds to the pressure healthcare organizations feel when their systems are all unavailable and they must resort to more old-school processes,” the DBIR authors wrote.
Edge devices. Another major finding in the report for physical security practitioners is that the percentage of edge devices and virtual private networks (VPNs) as a target for exploitation of vulnerabilities was 22 percent, up from just 3 percent last year.
“Organizations worked very hard to patch those edge device vulnerabilities, but our analysis showed only about 54 percent of those were fully remediated throughout the year, and it took a median of 32 days to accomplish,” the report explained.
Next Steps for Security
The DBIR includes recommendations for security practitioners looking to bolster their security posture to prevent and mitigate the effects of incidents and breaches during the next review period.
These include implementing strong password policies, timely patching of vulnerabilities, security awareness training for employees, and an emphasis on “positive security outcomes from vendors” being included in the procurement process.
There are also steps that can be taken to broaden organizational and national security.
“My key takeaway from this report is clear: collaboration and data-driven strategies remain essential to staying ahead of evolving threats,” Centrella says. “The findings underscore the importance of strengthening interagency coordination, investing in analytical capabilities, and empowering law enforcement with the tools they need to protect critical infrastructure.”
Centrella co-authored a section in the DBIR with U.S. Secret Service Program Manager Ronan McGee on partnering with the private sector to disrupt and dismantle cyber threats. These partnerships are critical because law enforcement cannot tackle the volume, speed, and complexity of today’s cyber threats alone, Centrella says.
“Private sector partners often detect incidents first, control critical infrastructure, and possess forensic and threat intelligence capabilities that are invaluable to building timely, actionable cases,” he adds. “Without private sector input, we’re operating with incomplete visibility into the threat landscape.”
In the DBIR, Centrella and McGee explained that businesses can partner with law enforcement disruption efforts by developing threat assessment teams, developing a case management process for tracking threat actors, designing and implementing controls to detect suspicious or threatening activity, and creating processes for working with law enforcement.
“Private sector practitioners can be force multipliers by sharing timely indicators of compromise (IOCs), participating in joint investigations, and helping to dismantle infrastructure used by threat actors,” Centrella explains. “They bring agility, technical acumen, and access to environments where cybercriminals often operate. Additionally, they help translate technical threats into business risk, which is critical when aligning cyber disruption efforts with broader national security goals.”
Want more DBIR insights? Check out our past coverage of the 2024, 2023, and 2022 iterations of the report.
