Cybersecurity statistics 2025: figures, stories, and what to do next

By the numbers, 2025 was the worst year yet for organizations that expose remote services, trust third parties by default, or postpone identity hardening. Ransomware was present in nearly half of all security incidents, while the exploitation of edge and VPN devices surged. More data breaches than ever were traced back to someone else’s software or service.

Cybersecurity statistics paint a concerning picture. Two headlines set the tone. First, the updated scale of the Change Healthcare fallout (described as the largest U.S. health data breach on record, affecting roughly 190–193 million people) showed how a single compromise can disrupt prescriptions, claims, and care nationwide.

Second, the PowerSchool extortion and data-theft case demonstrated the unique harm to minors when K-12 data platforms are compromised at scale.

Fast facts: cybersecurity statistics 2025 at a glance

• Ransomware was involved in 44% of data breaches (up sharply YoY), and the median ransom was $115,000. However, 64% of victim organizations did not pay.
• Third-party involvement doubled: Approximately 30% of data breaches involved a partner, vendor, or external service.
• Initial access is shifting: Exploitation of vulnerabilities rose to 20% of data breaches; edge and VPN devices represented 22% of those exploit paths (nearly 8x last year’s share).
• Mandiant M-Trends investigations: Exploits were the #1 initial vector (33%), followed by stolen credentials (16%) and email phishing (14%); overall median dwell time increased slightly to 11 days, though it remains a long-term low compared to prior years.
• Healthcare remains costliest: The average breach cost was $7.42M; the U.S. average breach cost was $10.22M, while the global average was $4.4M (down 9% YoY).
• Retail on extortion sites: Retail victims constituted 11% of data-leak-site postings in 2025 YTD (up from approximately 8.5% in 2024 and 6% in 2022–2023).
• Infostealers fuel access: 30% of machines in credential logs are enterprise-licensed; 46% are unmanaged devices mixing work and personal credentials (BYOD risk).
• Cookies and sessions are a goldmine: Nearly 94 billion cookies were leaked on underground markets, up 74% YoY; about 20.5% were still active, with country rates often ~7–9%.

7 most consequential cyber threats of 2025

1) The ransomware attack becomes the default threat

Ransomware attacks appeared in 44% of data breaches. In Mandiant’s casework, ransomware-related intrusions accounted for approximately 21% of investigations in 2024. Attackers move fast: 56.5% of ransomware incidents were discovered within a week, often because the adversary announces their presence via extortion.

The most common first step wasn’t phishing but brute-force attacks on remote services, followed by stolen credentials and exploits. Families like RANSOMHUB, Akira (REDBIKE), BASTA, and LOCKBIT consistently appear in investigations.

Why this matters: Ransom amounts might be falling, but the operational blast radius (from downtime to supplier disruption) continues to grow. Data-theft-only extortion without encryption is now a common variant. The primary control failures remain identity weaknesses, exposed remote services, and incomplete network segmentation.

2) Edge and VPN zero-days challenge defenses

The DBIR shows vulnerability exploitation jumping to 20% of initial access paths, driven by edge and VPN devices (22% of exploit vectors, an approximately 8x increase YoY).

Mandiant’s top exploited CVEs were:

• Palo Alto PAN-OS GlobalProtect (CVE-2024-3400);
• Ivanti Connect Secure/Policy Secure auth-bypass/command-injection chains (CVE-2023-46805, CVE-2024-21887);
• Fortinet FortiClient EMS (CVE-2023-48788).

Many of these were first seen as zero-days and rapidly adopted by multiple threat actor groups.

Why this matters: These devices sit on the network edge by design and often share an identity plane with corporate resources. Rapid weaponization and slow patch adoption mean identity-aware access policies must assume periodic exposure is inevitable.

3) Data breaches proliferate through the supply chain

The share of breaches involving a third-party component roughly doubled to 30%. Recent multi-tenant SaaS campaigns harvested OAuth tokens and CRM data across many organizations (e.g., attackers abusing Salesloft/Drift adjacencies). Government and healthcare incidents showed how vendor remote-support tools and legacy platforms can widen attack paths.

The lesson is that secure-by-default configurations and Zero Trust principles must be extended to vendor and SaaS due diligence. Excellent internal data protection is not enough.

Why this matters: A single supplier breach can create a blast radius across sectors and geographies. It can seed phishing attacks, business email compromise, and targeted intrusions among your customers and partners.

4) Social engineering accelerated by credential theft

Credential-focused crime remains a pillar of cybercrime. Stolen credentials were the #2 initial vector in M-Trends (16%).

DBIR’s analysis of infostealer logs shows 30% of affected systems are enterprise-licensed, while 46% of devices mixing corporate logins are unmanaged (amplifying human error and shadow IT risk).

Attackers increasingly create persistent access with session cookies and app-specific tokens; for example, research in 2025 found nearly 94 billion leaked cookies across dark markets.

Why this matters: Traditional password policies and basic MFA are not enough. Controls must focus on phishing-resistant MFA, continuous device posture checks, and session/token governance to reduce credential reuse and session hijacks.

5) Social engineering changes: from help desk vishing to process abuse

Front-line social engineering drove multiple high-profile intrusions.

• UNC3944 (which has overlaps with "Scattered Spider") has repeatedly impersonated help desks and abused account-reset flows to take over high-value identities, pivoting to ransomware attacks and extortion.
• UNC6040 uses vishing to trick Salesforce users into approving a malicious connected app, enabling mass data exfiltration.
• UNC6293 (likely Russia-nexus) persuaded targets to generate and share app-specific passwords (ASPs), granting mailbox access. Each example shows creative lures that bypass technical controls by exploiting process gaps.

Why this matters: People, not perimeters, remain the decisive "allow" button. Organizations need positive identity verification and out-of-band checks for any credential or MFA changes, plus the ability to block risky workflows (like ASPs) for high-risk users.

6) Evolving threats: state-backed espionage adapts to the cloud

PRC-nexus operators (e.g., those using UNC6384/PlugX variants) hijacked captive portal checks to deliver digitally signed malware and deploy in-memory backdoors. APT41 used Google Calendar as a command-and-control channel in its “TOUGHPROGRESS” campaign. Russia-nexus activity (UNC6293) blended diplomatic lures with mailbox persistence.

Beyond data theft, several groups target edge devices, SaaS applications, and cloud misconfigurations to entrench themselves quietly. Espionage-motivated data breaches grew to approximately 17% in the DBIR's dataset.

Why this matters: These new threats blur lines between cybercrime and espionage. They often dual-purpose their access for both financial and intelligence goals. Defenses must apply the same rigor to identity, SaaS, and the network edge as they do to on-premises servers.

7) Security measures for resilience: surviving business interruption

Availability-only incidents (from botched updates to targeted destructive actions) can rival data breaches in cost. Mandiant emphasizes using Isolated Recovery Environments (IREs) that are identity-separated from production, with immutable backups and console-only recovery workflows. This is a critical step, since modern attackers now seek out and destroy backups.

Why this matters: When cyber-attacks knock systems offline, security measures that accelerate clean rebuilds and validated recovery (in parallel with forensics) can determine whether a crisis is measured in hours, weeks, or quarters.

Who are cybercriminals targeting in 2025?

Financial services: Still the most targeted sector in Mandiant’s global investigations (a little over 17%). Attackers chase monetizable data, payment rails, and high-pressure operations.

Business and professional services; high tech; government; healthcare: The next most frequently impacted sectors in 2024 and early 2025. Each combines valuable sensitive data with complex third-party ecosystems.

Retail: 11% of victims posted on extortion sites in 2025 YTD (vs. ~8.5% in 2024). Payment disruption risk increases ransom pressure, and retail organizations hold vast PII.

Telecom: National-scale data breaches (e.g., SK Telecom) exposed SIM/USIM data and raised SIM-swap risks for millions. Core networks and identity systems are prime espionage targets.

Education: SaaS-driven K-12 platforms (e.g., PowerSchool) concentrate data on minors and staff; the exposure from a breach can be unprecedented in scope.

SMBs globally: Nearly half of SMB owners report an attack on their current business; almost 1 in 5 of those later closed or went bankrupt, showing the disproportionate impact of downtime and extortion.

Rising cybercrime costs: the actual price of data breaches

The average global breach cost is $4.4M (down 9% YoY), but U.S. organizations still face a record $10.22M average.

Healthcare tops the charts at $7.42M. That is before factoring secondary impacts like delayed prescriptions or claims denials.

Importantly, the median ransom is $115K, yet most victims do not pay. That fact has shifted costs toward recovery, regulatory penalties, and reputational damage. These cybersecurity statistics prove that even without a ransom payment, the financial toll from ransomware attacks remains immense.

Biggest cyber-attacks of 2025 (selected)

Here are some of the most significant cyber incidents and data breaches that have occurred this year.

1. PowerSchool data breach

In January 2025, a threat actor claimed to have stolen data for over 62 million students and nearly 10 million teachers from the systems of PowerSchool, a major student information system. By September, the Texas Attorney General filed a lawsuit against PowerSchool, confirming over 880,000 state residents were affected.

Investigators determined the attackers gained access using a contractor’s stolen credentials. Because PowerSchool is used to manage everything from grades and enrollment to bus routes, the breach exposed a wide range of sensitive information, including names, Social Security numbers, and even medical details in some districts.

• Scope of the breach. Attackers claimed data from 62 million students and 10 million teachers was stolen.
• Cause of the attack. A compromised contractor login provided the entry point for the attack.
• Data exposed. Personal details, Social Security numbers, and school-related data, like transportation and medical information, were compromised.
• Systemic risk. The incident exposed the widespread risk associated with a single, heavily integrated student information system.

2. SK Telecom SIM authentication data breach

In April 2025, South Korea’s largest telecom provider, SK Telecom, admitted that attackers had stolen authentication records tied to its USIM cards—the small chips that verify a phone’s identity. Regulators later revealed that malware had been in the company’s systems for years before being detected.

The exposed records could allow criminals to clone SIM cards, intercept text messages, and take over online accounts that use SMS for verification. Officials described the breach as nationwide in scale, impacting 26.96 million customers. The government fined the company and ordered it to improve its security controls.

• Data compromised. Authentication records for USIM (Universal Subscriber Identity Module) cards were stolen.
• Nationwide impact. The breach affected 26.96 million customers, making it a national-scale security event.
• Potential for fraud. Stolen data enables SIM cloning, which can be used to bypass two-factor authentication and hijack accounts.
• Long-term presence. Malware was reportedly present in SK Telecom’s systems for years before the breach was discovered.

3. Salesforce CRM data breach

In September 2025, the FBI issued a warning about two cybercriminal groups, UNC6040 and UNC6395, quietly stealing customer data from Salesforce tenants. The groups used sophisticated methods, including vishing (phone phishing) to trick employees into giving up multi-factor authentication codes and stealing OAuth tokens.

These tokens, which allow connected apps to access data without a password, gave attackers a direct line to CRM records. This was not a loud ransomware attack but a quiet theft of names, phone numbers, and business contacts. Because many companies use the same third-party apps, one stolen token could create a ripple effect across dozens of organizations.

• Attack methods. Attackers used vishing to steal MFA codes and exploited stolen OAuth tokens from connected third-party apps.
• Data targeted. The quiet theft focused on CRM records, including names, emails, phone numbers, and support tickets.
• Third-party risk. The breach showed how a single compromised app token could expose data across multiple companies.
• Government warning. The FBI issued a formal alert to warn businesses about the ongoing threat from these groups.

4. U.S. Treasury vendor tool intrusion

In late December 2024, an incident that carried over into 2025 involved the U.S. Treasury, which learned that cybercriminals had broken into a contractor's remote support tool. Attackers used this access to reach unclassified Treasury computers and documents.

Investigations pointed to a group linked to China. The incident is a critical reminder of third-party risk, as these vendor tools are widely used. A single weak login at a contractor can give outsiders deep access into a secure environment, turning a small help desk session into a significant intrusion.

• Attack vector. Criminals compromised a remote support tool used by a third-party vendor.
• Affected entity. The attackers gained access to unclassified systems and documents within the U.S. Treasury.
• Attribution. Investigations linked the intrusion to a group associated with China.
• Third-party vulnerability. The breach highlights how contractors and their tools can become a critical weak point in an organization's security.

5. Oracle Health legacy servers compromised

At the end of March 2025, hospitals reported that threat actors had broken into old Cerner "data migration" servers. These were outdated, on-premises systems used to move patient information. Oracle Health later confirmed that these obsolete servers were compromised but insisted its modern cloud systems were secure.

Notices sent throughout the summer named at least 14,485 affected individuals, though the total number is likely higher. Since the Cerner system is connected to many hospital environments, the breach created a widespread privacy risk. Even when only old servers are hit, the exposure of names, IDs, and medical details creates a long-term headache.

• Affected systems. The breach targeted outdated, on-premises Cerner data migration servers.
• Data exposed. A mix of names, patient IDs, and medical details were compromised.
• Healthcare vulnerability. The incident underscores the risk of unpatched, legacy systems that often remain active in healthcare environments.
• Vendor risk. A single vulnerability at a major vendor like Oracle Health can ripple through dozens of its hospital clients.

6. Yale New Haven Health data breach

On April 11, 2025, Yale New Haven Health disclosed that hackers had been inside its systems since March 8, exposing the data of 5.56 million people. The breach is one of the largest hospital attacks of the year, equivalent to exposing the personal information of an entire small U.S. state's population.

The compromised files included demographic details and other protected health information, which is highly valuable for scams and identity theft. Patients quickly filed lawsuits, and the health system entered settlement talks by late summer, highlighting the severe financial and legal fallout from such a massive breach.

• Scope of the breach. The personal and protected health information of 5.56 million people was exposed.
• Operational challenges. The incident illustrates how hospitals must continue patient care while fighting an active cyberattack, complicating containment efforts.
• Legal consequences. The massive breach led to immediate class-action lawsuits and settlement negotiations.
• Data compromised. Leaked files included demographic details and other sensitive patient data.

7. Blue Shield of California analytics leak

On April 9, 2025, Blue Shield of California admitted that a misconfigured Google Analytics setup had been leaking member data to Google Ads for years. This was not a malicious hack but an internal error where a marketing tool accidentally sent private information to advertising systems.

The configuration error affected approximately 4.7 million people. While full medical charts were not exposed, sensitive data such as browsing histories, insurance plan details, and claims information was leaked. The incident is a stark reminder that not all breaches are caused by external attackers; sometimes, the danger comes from a tool used with the wrong settings.

• Cause of the leak. A misconfigured Google Analytics integration, not a cyber-attack, was responsible.
• Number of people affected. The data of about 4.7 million members was inadvertently sent to Google's advertising systems.
• Data exposed. Browsing history, health plan details, and claims information were unintentionally leaked.
• Internal threat. This incident shows that data breaches can result from hidden configuration errors in common business tools.

Top security priorities for 2025

The through-line from this year’s cybersecurity stats is clear: reduce initial access, contain the blast radius of any intrusion, and accelerate recovery.

1) Harden access management: enforce phishing-resistant MFA

Make FIDO2-based MFA mandatory for administrators and high-risk roles. Remove SMS and voice fallbacks. Require multi-context checks (user, device, and location) for sign-ins, password resets, and all MFA enrollment. Investigations repeatedly show adversaries exploiting weak help-desk flows and device-agnostic policies to carry out devastating cyber-attacks.

2) Counter social engineering: lock down account recovery

Introduce positive identity verification, such as on-camera ID checks, before any sensitive change. Require out-of-band supervisor approval for high-risk modifications. During periods of elevated threat, temporarily disable self-service MFA resets. Train staff on social engineering tactics and provide them with easy escalation paths.

3) Cut off edge attack paths and reduce cybersecurity risks

Inventory and prioritize patching for all edge and VPN appliances. Restrict management interfaces. Enforce allow-listed IPs and device posture checks for administrative access. Treat edge exposure as inevitable: monitor for web shells, unusual processes, and configuration drift.

4) Reduce credential and session abuse

Ban browser password storage for corporate accounts and block risky session types. Rotate secrets that have been exposed in Git or CI/CD pipelines. Implement short-lived tokens and ensure session revocation follows any risk event. Remember: nearly 94 billion cookies and tokens are in circulation, creating significant cybersecurity risks.

5) Implement Zero Trust to secure SaaS applications

Use SSO everywhere and enable device-trust checks. Disable local accounts. Deny new connected apps by default. Restrict API access to approved applications and IPs. Require high-assurance sessions for data exports or downloads. Monitor for abnormal data pulls and new application grants, which can signal impending data breaches.

6) Segment networks to protect data

Apply least-privilege principles and micro-segmentation to isolate crown-jewel systems and sensitive data. Enforce "green zone" rules for administration. Disable lateral movement protocols (like SMB, RDP, and WinRM) by default and enforce just-in-time elevation for access.

7) Build an Isolated Recovery Environment (IRE)

Stand up a logically and physically separated enclave with immutable backups, one-way data replication, a separate identity provider, and console-only remediation workflows. Rehearse the rebuild of critical services quarterly. This is a crucial step in a modern data protection strategy, as attackers now target backups as a matter of course.

8) Instrument detection on edge, identity, and SaaS

Turn on and retain logs for VPN/edge devices, IdP risk signals, and SaaS export events. Create detections for high-risk changes (like MFA enrollment), new connected apps, and bulk data access. Centralize this telemetry to speed up your mean time to detect incidents.

9) Prepare and drill extortion playbooks

Define criteria for system isolation, communications, law-enforcement engagement, and customer notification. Practice the decision points (pay vs. rebuild), validate data-theft evidence, and test your out-of-band coordination channels before you need them.

10) Strengthen third-party risk governance

Move beyond questionnaires. Require technical controls like MFA, SSO, and device posture checks in your vendor contracts. Monitor vendor security telemetry. Constrain partner connectivity with context-aware access and network segmentation. Plan for vendor failover where feasible.

Key insights from 2025’s cybersecurity statistics

Cybersecurity statistics from 2025 reveal that attackers follow the path of least resistance. Modern cyber-attacks target the network edge, user identity, and third-party services.

While ransomware attacks persist, their goal is increasingly data theft and operational pressure. The root causes remain familiar: phishing attacks, human error, and weak access management, though tactics now include using Google Calendar for command-and-control and abusing app-specific passwords.

In response to these threats, cybersecurity budgets are shifting away from perimeter appliances. The most effective security spending now focuses on Zero Trust, identity security, and resilience through faster patching, posture-aware access, and immutable backups.

NordLayer aligns with the controls highlighted above. It applies a Zero Trust model that uses identity-based, least-privilege access to block cyber threats from unmanaged devices and weak credentials. By integrating with identity providers like Okta and Microsoft Entra ID, it supports strong MFA to help prevent social engineering and account abuse. The platform also creates secure tunnels with DNS filtering and Secure Web Gateway capabilities, which help reduce exposure to phishing attacks and malware.

These central policy checks for device health and user access protect against insider threats. Adopting this approach with strong identity hygiene and a tested recovery plan may help change next year's statistics in your favor.