April 16, 2025

8 Years Under the Magnifier: Decoding Data Breach Trends (2017-2024) with the Verizon DBIR

Executive Summary

Verizon's Data Breach Investigations Report (DBIR) has provided invaluable insights into the cyber security landscape for over 8 years. Analysing the reports from 2017 through 2024 reveals a threat environment characterized by both persistent adversaries and dramatically evolving tactics. External, financially motivated organized crime groups consistently dominate, yet the human element is implicated in the vast majority (68%-82%) of breaches through stolen credentials, phishing, error, or misuse – making people both a key vulnerability and a crucial part of the defence.

Key findings show a credential crisis, with stolen credentials being a primary attack vector across the years, often obtained via relentless phishing. While phishing persists, Pretexting (the core of Business Email Compromise -BEC) surged dramatically, becoming the dominant social tactic with median losses hitting $50,000. The Ransomware/Extortion crisis evolved significantly, shifting from pure encryption to data theft plus extortion, impacting nearly a third of breaches in 2024. A major development was the tripling of vulnerability exploitation as an initial breach path in the latest report, driven by zero-days like MOVEit, underscoring the rising importance of Supply Chain/Third-Party risk (involved in 15% of 2024 breaches). Errors, particularly cloud misconfigurations, also saw increased prevalence. Targets shifted from Payment Card data towards Credentials and Personal data, facilitated by attacks on Web applications and cloud services. Despite these evolving threats, detection times remain a challenge, with many breaches still discovered externally or taking months to identify.

Mastering the fundamentals remains paramount. Key recommendations include: universally implementing phishing-resistant MFA, enhancing security awareness training with a focus on reporting, maintaining robust vulnerability and patch management (especially for known exploited vulns), securing web applications and cloud configurations, bolstering ransomware/extortion defences (offline backups, EDR, IR planning), managing third-party risk, and improving detection and response capabilities.

Figure 1: Confirmed Data Breaches per Year (2017-2024),Source: Verizon DBIR (2017-2024)

Introduction: A Look Back to Look Forward

By synthesizing data from Verizon's own investigations and dozens of global partners, the DBIR provides an evidence-based view invaluable to security professionals and business leaders alike. Looking back at the reports from 2017 through 2024 allows us to track significant shifts, identify persistent threats, and understand the crucial lessons learned to better defend our organizations.

The Human Element: The Constant Variable

Cyber security is deeply intertwined with human behaviour. Across the 2017-2024 period, the vast majority of breaches (consistently over 68%, peaking above 80%) involved a human element. This encompasses several facets:

  1. Falling for Social Engineering: Phishing remained a top-tier threat action throughout the period, serving as the primary vehicle for credential theft and initial malware delivery. More significantly, Pretexting attacks, the engine behind Business Email Compromise (BEC), saw a dramatic surge, nearly doubling between 2021 and 2023 to become the dominant social tactic. This sophistication targets business processes as much as individuals.
  2. Credential Misuse: The relentless focus on stealing and reusing credentials – whether obtained via phishing, malware, brute force, or previous breaches – remained arguably the most critical pathway for attackers across almost all years.
  3. Errors: Human fallibility is a constant. While initially less prominent in breach statistics compared to malicious actions, Error-related breaches (especially cloud     misconfigurations and mis delivery of sensitive information) saw a significant rise in later years, becoming a top pattern and accounting for 28% of breaches in the 2024 report.
  4. The Paradox: While people represent a major vulnerability, they are also critical for defence. Improved reporting rates for simulated phishing in recent years offer a glimmer of hope, emphasizing the need for awareness programs that empower users to act as sensors.

The Attacker Landscape: Consistent Motives, Shifting Faces

While the methods evolved, the who and why behind breaches showed strong consistency:

  1. External Dominance: External actors consistently perpetrated the overwhelming majority (70%-80%+) of breaches.
  2. Organized Crime: Financially motivated organized crime groups remained the primary threat actor category, driving the focus on monetizable data and extortion.
  3. Internal Threats: Involved in 20-35% of breaches, the nature shifted. Early analysis highlighted more malicious Misuse; later reports, aided by increased visibility,     showed a higher proportion stemming from Errors, though Misuse remained a factor.
  4. State-Affiliated Actors: Their involvement fluctuated based on geopolitics, primarily motivated by Espionage and targeting specific sectors like Public Administration and Manufacturing.
Figure 2: External vs Internal Threat Actors (2017-2024),Source: Verizon DBIR (2017-2024)

The Evolving Battlefield: Tactics in Flux

The most dramatic changes occurred in the how of attacks:

  1. The Credential Crisis Deepens: Initial reports highlighted credential theft, but later years saw the rise of credential stuffing against web apps and cloud services,     making credential reuse a primary weapon.
  2. Ransomware's Reign and Evolution: Exploding from a notable malware type to a dominant breach pattern (24% steady in 2022/2023), its shift to double/triple extortion (data theft + encryption + harassment) fundamentally changed its impact, blurring the lines between incident and breach. The 2024 report saw     Ransomware/Extortion combined involved in 32% of breaches.
  3. Web Applications as Ground Zero: Becoming the #1 attack vector around 2020, driven by the move to cloud and targeted via stolen credentials or vulnerabilities.
  4. Vulnerability Exploitation's Surge: While always a factor, the 2024 report highlighted a massive surge (tripling YoY) in breaches initiated via vulnerability exploitation, largely due to widespread zero-day campaigns like MOVEit, often facilitating Ransomware/Extortion.
  5. Supply Chain/Third-Party Risk Emerges: Gaining prominence post-SolarWinds, this pathway was cemented by MOVEit. The 2024 DBIR expanded definition showed it involved in 15% of breaches.
Figure 3: Phishing vs Web App Exploits in Breaches(2017-2024), Source: Verizon DBIR (2017-2024)

Shifting Targets: Assets and Data

What attackers targeted alsoevolved:

  1. Servers Rule Supreme: Consistently the most compromised asset, reflecting the focus on web/mail/file servers and cloud infrastructure.
  2. Data Focus Moves Beyond PCI: A clear shift away from Payment Card data dominance towards Credentials and Personal data (PII) as the most sought-after types. Internal data (emails, files) also remained a key target, especially for BEC.

The Persistent Detection Deficit

Despite evolving threats and defences, timely detection remains a major challenge:

  1. Discovery Still Slow: Breaches frequently take months or longer to detect.
  2. External Discovery High: A significant portion of breaches are still found by third parties (law enforcement, customers, researchers) rather than internal security teams, particularly for errors and sophisticated intrusions.

Recommendations for the Modern Threat Landscape

The consistent themes and evolving tactics revealed by the DBIR analysis point to clear defensive priorities:

  1. Master Identity & Access Management: Implement universal, phishing-resistant MFA. Enforce strong password hygiene (managers, no reuse). Monitor for credential leaks. Apply least privilege and disable dormant accounts.
  2. Combat Social Engineering: Conduct continuous awareness training focused on reporting. Deploy robust email filtering. Mandate out-of-band verification for financial transactions.
  3. Prioritize Vulnerability Management: Maintain asset inventory. Implement risk-based patching, focusing on known exploited vulnerabilities and internet-facing systems. Reduce attack surface. Improve patch cadence.
  4. Secure Web Apps & Cloud: Use WAFs. Scan applications regularly. Enforce secure coding and secure cloud configuration standards. Use MFA for cloud accounts.
  5. Build Ransomware Resilience: Maintain and test offline/immutable backups. Use EDR and network segmentation. Develop and practice a ransomware-specific     IR plan. Encrypt sensitive data.
  6. Manage Third-Party Risk: Vet vendors thoroughly. Understand software supply chain risks (SBOMs help). Plan for rapid response to third-party incidents.
  7. Improve Detection & Response: Enhance logging/monitoring. Regularly test and refine the IR plan. Focus on reducing MTTD and MTTR.

Conclusion: Learning from the Past, Preparing for the Future

While attackers continuously adapt, shifting from PoS malware to ransomware and BEC, leveraging stolen credentials and exploiting zero-days, fundamental weaknesses often enable their success. The human element remains central, both as a target and a potential line of defence. By understanding these long-term trends and recent evolutions, organizations can prioritize resources effectively, focusing on robust fundamentals like IAM, vulnerability management, secure configurations, and user awareness, while building resilience against pervasive threats like ransomware and supply chain compromises. The past informs the present; proactive, data-driven defence is key to navigating the future.

Quick Links
Services
Contact UsAbout Us
Site Information
News and Press
Legal & Compliance
Terms and Conditions
Privacy PolicyCookies Policy

©️ 2025 Cautio. All Rights Reserved.