Verizon 2025 DBIR: Third-Party Risk Explosion & What It Means for Your Data Security Strategy

The just-released 2025 Verizon Data Breach Investigations Report (DBIR) reveals a startling reality: third-party involvement in data breaches has doubled from 15% to 30% in just one year. This dramatic increase signals a fundamental shift in the threat landscape that security leaders must address immediately. As organizations increasingly rely on external vendors, cloud platforms, and partners, their security perimeter has effectively dissolved, creating unprecedented risks to sensitive data.

This year’s DBIR analyzed over 12,000 confirmed data breaches—the highest number ever examined in a single report—providing authoritative insights into how threat actors are targeting organizations. Beyond the third-party risk explosion, the report documents significant increases in ransomware, vulnerability exploitation, and emerging threats from generative AI platforms.

In this analysis, we’ll break down the five most critical findings from the 2025 DBIR and provide actionable recommendations to strengthen your security strategy against these evolving threats.

What Is the Verizon Data Breach Investigations Report?

The Verizon Data Breach Investigations Report stands as the cybersecurity industry’s most comprehensive and authoritative analysis of real-world security incidents. Published annually since 2008, the DBIR combines data from Verizon’s own threat research with contributions from nearly 100 global partners, including law enforcement agencies, forensic specialists, cybersecurity firms, and intelligence organizations.

What distinguishes the DBIR from other security reports is its rigorous methodology. The 2025 edition analyzed 22,052 security incidents, of which 12,195 were confirmed data breaches that occurred between November 1, 2023, and October 31, 2024. This represents the highest number of breaches ever analyzed in a single DBIR report.

The DBIR team applies the VERIS (Vocabulary for Event Recording and Incident Sharing) framework to normalize this massive dataset, enabling consistent analysis across industries, company sizes, and regions. This standardized approach provides security practitioners with reliable insights into the tactics, techniques, and procedures that threat actors use to compromise organizations.

Third-Party Risk Explosion: Why Your Partners Are Now Your Biggest Threat

The most concerning development in this year’s DBIR is the alarming increase in attacks originating through third parties. This trend aligns with findings from the recent “Top 11 Data Breaches of 2024” report, which noted that third-party vulnerabilities were the gateway for 64% of major breaches, proving that your security is only as strong as your weakest vendor.

Third-Party Involvement Doubles to 30% of All Breaches

The most alarming finding in the 2025 DBIR is the dramatic increase in third-party involvement in breaches, which doubled from approximately 15% last year to 30% this year. This isn’t merely a statistical fluctuation—it represents a fundamental shift in how threat actors are targeting organizations.

The report highlights several high-profile incidents that exemplify this trend. Service provider breaches like those affecting Change Healthcare, CDK Global, and Blue Yonder didn’t just expose private data—they created substantial operational downtime across entire industries. These incidents effectively combined cybersecurity risk with operational risk, creating cascading failures that affected thousands of downstream organizations.

What makes this trend particularly concerning is that many organizations lack visibility into their third-party ecosystem. The DBIR notes that companies often struggle to even identify all their third-party dependencies, let alone assess and mitigate the associated risks.

GitHub Secrets and Leaked Credentials: A 94-Day Problem

A key driver behind the third-party risk explosion is the challenge of managing access credentials and secrets across organizational boundaries. The DBIR reveals that the median time to remediate discovered leaked secrets in GitHub repositories is a staggering 94 days.

These exposed secrets include a wide variety of authentication mechanisms:

• 39% are web application infrastructure secrets (with 66% of those being JSON Web Tokens)
• Development and CI/CD secrets represent another significant category
• Cloud infrastructure tokens and database connection credentials round out the most common types

This extended exposure window gives threat actors ample time to discover and exploit these credentials. Once attackers gain access to these secrets, they can often bypass traditional security controls entirely, masquerading as legitimate users or services.

The DBIR analysis of the Snowflake breaches from April 2024 provides a telling example. In this case, threat actors identified that certain Snowflake customers weren’t enforcing multifactor authentication (MFA). They developed specific tooling to discover vulnerable accounts, exploited them at scale, and exfiltrated sensitive data from approximately 165 organizations.

Ransomware’s Continued Surge: New Tactics and Changing Payments

Despite increased defenses and awareness, ransomware remains a dominant threat across all sectors. The 2025 DBIR reveals important shifts in ransomware tactics and economics that security leaders should understand. These findings echo the “Top 11 Data Breaches of 2024” report, which identified that ransomware continued to play a significant role in three of the top 11 breaches, with the Change Healthcare ransom payment of $22 million being the most significant.

44% of Breaches Now Include Ransomware

Ransomware continues its relentless growth trajectory, now appearing in 44% of all breaches analyzed in the 2025 DBIR—up dramatically from 32% in the previous year. This 37% increase demonstrates that ransomware remains the preferred attack method for financially motivated threat actors.

The DBIR notes that this figure includes both traditional encrypting ransomware and “pure-extortion, non-encrypting” variants where attackers simply threaten to release stolen data. This reflects the ongoing evolution of ransomware tactics, as attackers recognize that the threat of data exposure can be just as powerful as encryption.

Particularly concerning is the disproportionate impact on small businesses. While ransomware affects 39% of breaches in larger organizations, it appears in an astounding 88% of breaches targeting small and medium-sized businesses. This discrepancy suggests that smaller organizations may lack the security resources and recovery capabilities to effectively defend against these attacks.

Declining Ransom: $115,000 and 64% Non-payment

Despite ransomware’s prevalence, there are indications that resistance strategies might be working. The 2025 DBIR reports that the median ransomware payment decreased to $115,000, down from $150,000 the previous year. Even more encouraging, 64% of victim organizations refused to pay the ransom—up from 50% two years ago.

This growing refusal to pay appears to be affecting the ransomware economy. The report notes that 95% of ransoms were less than $3 million in 2024, a significant decline from the $9.9 million figure reported in 2023. The DBIR team suggests these declines are directly connected: as fewer organizations pay, attackers are forced to lower their demands.

However, the report cautions against interpreting this as a sign that ransomware is becoming less profitable overall. The decreased payment amounts may simply reflect ransomware groups’ adaptation to market realities, allowing them to maintain or even increase their total revenue by focusing on volume rather than individual payment size.

Vulnerability Exploitation: The Edge Device Crisis

As we transition from examining ransomware trends to specific vulnerability exploitation patterns, the 2025 DBIR highlights a dramatic shift in exploitation targets, with edge devices becoming the primary focus for attackers seeking initial access to networks. This trend reflects the expanding attack surface that organizations must defend as remote work and cloud adoption continue to accelerate.

Edge Devices and VPNs: An 800% Increase in Exploits

The 2025 DBIR documents an alarming increase in attacks targeting network edge devices, with exploitation of VPN and edge device vulnerabilities growing almost eight-fold—from 3% to 22% of all exploitation vectors. This dramatic shift reflects threat actors’ recognition that these devices provide direct paths into otherwise well-protected networks.

This trend involves several high-profile vulnerabilities across multiple vendors and platforms. The report samples 17 critical edge device vulnerabilities that were added to the CISA Known Exploited Vulnerability (KEV) catalog during the reporting period, affecting seven different vendors.

What makes these vulnerabilities particularly dangerous is the speed at which they’re exploited. The report finds that the median time between CVE publication and mass exploitation for edge device vulnerabilities was zero days. In other words, attacks often began simultaneously with (or even before) public disclosure, giving defenders no time to implement patches.

How Organizations Are Responding to Edge Device Threats

Organizations appear to recognize the criticality of edge device vulnerabilities, as the DBIR notes that 54% of these vulnerabilities were fully remediated during the reporting period. This compares favorably to the 38% remediation rate for all vulnerabilities in the CISA KEV catalog and just 9% for all vulnerabilities identified in scans.

However, the median time to full remediation was still 32 days—creating a substantial window of exposure given the zero-day exploitation timeline. The report also found that 30% of these critical edge device vulnerabilities remained completely unaddressed, likely contributing to successful breaches.

The DBIR team compared this situation to the myth of Sisyphus, constantly pushing a boulder uphill only to have it roll back down. The continuous stream of new critical vulnerabilities creates a never-ending cycle of patching, with limited opportunity for security teams to get ahead of the threat.

Human Element and Credential Theft Remain Central to Breaches

While technological vulnerabilities receive significant attention, the 2025 DBIR reminds us that human factors continue to play a crucial role in data breaches. Understanding these human-centric attack vectors is essential for developing effective defenses that address both technical and behavioral security aspects.

60% of Breaches Still Involve the Human Element

Despite increased automation in attacks, the human element remains a critical factor in data breaches. The 2025 DBIR reports that 60% of breaches involved human interaction at some point in the attack chain, whether through social engineering, errors, or credential misuse.

The report breaks down these human-centric breaches into their component parts:

• Social engineering actions appeared in 24% of breaches
• Credentials were misused in 42% of cases
• Errors caused 15% of breaches
• Malware requiring human interaction was involved in 44% of incidents

What makes these human-centered attacks particularly challenging is their interconnected nature. For example, successful phishing often leads to credential theft, which then enables broader network access. This creates multiple opportunities for detection but also requires layered defenses.

Infostealer Malware and BYOD: The Corporate Login Crisis

Credential theft continues to evolve, with infostealer malware playing an increasingly significant role. The DBIR’s analysis of infostealer malware logs revealed that 30% of compromised systems were enterprise-licensed devices. However, a more concerning finding was that 46% of systems with compromised corporate logins were non-managed devices.

This indicates the growing risk posed by bring-your-own-device (BYOD) policies and personal device usage for work purposes. Even when organizations implement strong security controls on corporate-managed devices, employees frequently access work resources from personal devices that lack equivalent protections.

The DBIR team found a direct correlation between infostealer credential compromise and subsequent ransomware attacks. By analyzing the domains associated with ransomware victims, they discovered that 54% of those victims had their domains appear in infostealer logs before the ransomware attack, and 40% had corporate email addresses exposed.

Emerging GenAI Threat: A New Frontier of Data Leakage

As we move beyond traditional security concerns, the 2025 DBIR identifies a significant new risk vector that many organizations are only beginning to recognize: the use of generative AI platforms and their potential to expose sensitive private data. This emerging threat requires immediate attention from security leaders as employees rapidly adopt AI tools for productivity gains.

15% of Employees Regularly Access GenAI on Corporate Devices

The 2025 DBIR highlights a new and rapidly growing risk vector: generative AI platforms. The report found that 15% of employees routinely access generative AI systems on their corporate devices (at least once every 15 days), creating a significant new channel for potential private data exposure.

What makes this particularly concerning is the authentication patterns associated with this usage. The DBIR found that 72% of employees accessing AI platforms were using non-corporate email addresses as their account identifiers. Another 17% were using corporate emails but without integrated authentication systems like SAML, suggesting these tools were being used outside official corporate policy.

This pattern of usage creates serious data governance challenges. Since common use cases for generative AI include summarization, coding assistance, and content creation, employees are likely uploading sensitive corporate data, intellectual property, and private information to these platforms. Unlike traditional software, generative AI tools typically retain uploaded data, potentially incorporating elements into future outputs provided to other users.

Dangers of Unmanaged AI Access

The risks of unmanaged AI access extend beyond simple data leakage. The DBIR notes several documented cases of AI platforms inadvertently exposing private data, including a January 2025 incident where the DeepSeek model was found to be insecurely leaking sensitive data, including chat history containing corporate information.

The report also highlights how AI is now being integrated into core operating system functions on mobile devices, with voice assistants, messaging apps, and camera features leveraging AI models. Since many of these functions are enabled by default, they create additional vectors for private data exposure that may bypass traditional security controls.

For organizations with regulated data or valuable intellectual property, these AI platforms represent a significant governance gap. The DBIR notes that traditional data loss prevention tools may not effectively monitor or control this type of data sharing, creating blind spots in security programs.

AI-Generated Threats: Beyond Data Leakage

The 2025 DBIR also documents the growing use of AI by threat actors. Analysis from email security partners shows that malicious AI-written emails have doubled over the past two years, from approximately 5% to 10%. This trend began before large language model-based chat tools became widely available and has accelerated since.

Both OpenAI and Google reported identifying usage from state-sponsored actors who were attempting to augment influence operations, phishing attempts, and malicious code development. While platforms have implemented controls to prevent abuse, the report notes that threat actors continue to find ways to circumvent these restrictions.

The report suggests that AI’s impact on the threat landscape is still evolving. Rather than revolutionizing attacks, AI is primarily helping threat actors improve efficiency, personalization, and language quality—making social engineering attempts more convincing and harder to detect.

Comprehensive AI Security Controls

The DBIR recommends a multi-layered approach to managing AI-related data risks:

1. Develop clear AI usage policies that specify what types of data can and cannot be shared with external AI platforms
2. Implement technical controls to prevent sensitive data sharing, such as network monitoring and blocking unapproved AI services
3. Provide approved, enterprise-grade AI tools with appropriate data governance and security controls
4. Establish authentication requirements for AI platform access, preferably through single sign-on and with MFA
5. Create training programs that educate employees about the risks of sharing sensitive data with AI platforms
6. Monitor for shadow AI usage and implement detection capabilities for unauthorized data sharing

The report emphasizes that organizations should approach AI governance as a critical component of their overall data security strategy, rather than as a separate technology initiative.

Data Security Strategies for 2025 and Beyond

Having examined the key threats identified in the 2025 DBIR, it’s clear that organizations need to fundamentally rethink their security strategies. The rise in third-party breaches, ransomware evolution, and new threats like AI data leakage require a comprehensive and adaptable security posture for the coming year and beyond.

Prioritizing Third-Party Risk Management

Given the dramatic rise in third-party breaches, the DBIR emphasizes the need for comprehensive third-party risk management. The report recommends:

1. Making security outcomes a key component of vendor selection during procurement
2. Implementing continuous monitoring of third-party security postures rather than point-in-time assessments
3. Developing incident response plans that account for third-party breaches
4. Establishing clear security requirements in contracts and service level agreements
5. Implementing network segmentation and access controls for third-party connections
6. Requiring strong authentication for all third-party access, including API keys and service accounts

The report notes that organizations cannot simply rely on their vendors to maintain adequate security. Instead, they must take an active role in assessing, monitoring, and enforcing security requirements across their entire supply chain.

Building a Multi-Layered Data Security Strategy

The 2025 DBIR recommends shifting from a perimeter-focused security approach to a data-centric model that protects sensitive information throughout its lifecycle, regardless of where it resides. Key elements of this strategy include:

1. Implementing strong authentication across all systems, with MFA enforced for all users
2. Prioritizing vulnerability management for internet-facing systems, especially edge devices
3. Creating comprehensive backup and recovery capabilities to reduce ransomware leverage
4. Developing detection capabilities that can identify unusual data access or movement
5. Implementing proper segmentation to limit lateral movement following initial compromise
6. Establishing data governance policies that address emerging risks like AI platforms
7. Creating employee awareness programs focused on credential protection and phishing recognition

The report emphasizes that organizations should focus on security resilience rather than purely preventative measures, acknowledging that some breaches will inevitably occur but aiming to minimize their impact.

Key Takeaways for Your Data Security Strategy

The 2025 Verizon DBIR presents a clear picture of an evolving threat landscape that requires adaptive security strategies. The doubling of third-party breaches demands renewed focus on supply chain security, while the continued dominance of ransomware necessitates both preventative controls and robust recovery capabilities.

The explosion of edge device exploitation calls for prioritized vulnerability management, and the persistent impact of the human element reminds us that technical controls must be complemented by user awareness and training. Finally, the emergence of AI as both a potential data leakage vector and an attacker tool requires new governance approaches.

By understanding these key trends and implementing the report’s recommendations, security leaders can better protect their organizations from the most significant threats of 2025 and beyond. The path forward requires balancing technological solutions with human factors, preventative measures with detection and response capabilities, and compliance requirements with practical security outcomes.

Organizations that adopt this comprehensive, risk-based approach will be better positioned to navigate the increasingly complex threat landscape revealed in this year’s DBIR. As the report concludes, security is not about eliminating all risks—it’s about understanding, prioritizing, and managing them effectively.