What Is A Data Breach?

A data breach occurs when unauthorized individuals gain access to information that should have stayed locked down: customer records, financial data, intellectual property, employee files, login credentials, and anything else an organization is responsible for protecting.

These breaches don’t always require sophisticated hacking. Some stem from exploited software vulnerabilities or carefully crafted phishing campaigns, but others result from something as mundane as an employee emailing a spreadsheet to the wrong person or a developer leaving cloud storage open to the public internet. 

Regardless of how they happen, the financial damage is severe: the global average cost of a data breach reached $4.4 million in 2025, with U.S. companies facing losses averaging $10.22 million per incident.

What makes breaches especially dangerous, though, is how quickly they escalate. A single compromised password can unlock an entire corporate network. Single misconfigured server can expose millions of records overnight. 

A breach at a trusted vendor can ripple outward and compromise dozens of its customers simultaneously. In other words, every overlooked vulnerability is a potential doorway to catastrophic, compounding loss.

How Does A Data Breach Happen — Lifecycle of a Data Breach

A data breach occurs when sensitive information is exposed to unauthorized parties, whether through hacking, leaking, or accidental exposure. Most breaches follow a predictable chain of events:

The interactive visual below walks you through the eight stages of a typical data breach lifecycle, so you can see exactly how attackers operate and where defenses need to hold.

1. Attackers Choose Their Target

Every breach begins with reconnaissance. Attackers identify exposed services, reachable applications, and high-value users by scanning vulnerable servers, mapping network infrastructure, and researching employees on platforms like LinkedIn and GitHub. 

They look for publicly exposed admin panels, outdated software versions, leaked credentials in paste sites, and organizational details that reveal which departments handle sensitive data.

This phase is almost invisible to defenders because reconnaissance looks like normal internet traffic. Automated scanning tools probe thousands of targets simultaneously, and open-source intelligence gathering leaves no trace in server logs. 

The speed is staggering: attackers typically start scanning for newly announced vulnerabilities within 15 minutes of a CVE being published (Unit 42). By the time most organizations even learn about a new vulnerability, attackers have already mapped who is exposed..

2. Getting Inside The Network

Initial access is the moment an external threat becomes an internal presence. A single successful phishing email, an unpatched server flaw, a compromised vendor credential, or an exposed API endpoint can give attackers their foothold within minutes. 

Among breaches that don’t stem from errors or insider misuse, credential abuse accounts for 22% of known initial access vectors, making stolen or guessed passwords one of the most reliable ways in.

Attackers also exploit publicly facing applications with known vulnerabilities, abuse valid accounts purchased from initial access brokers on underground markets, and target remote access services like VPNs and RDP that are exposed to the internet. 

Some campaigns bypass technical controls entirely through social engineering, convincing employees to install malware disguised as legitimate software updates or business documents. Organizations that rely on perimeter defenses alone often miss this stage entirely because the attacker enters using what looks like a legitimate credential or connection.

3. Expanding Access Through Weak Controls

Once inside, attackers rarely stay where they landed. They immediately begin probing for authorization gaps that let them reach restricted data and functions beyond their initial foothold. 

They abuse broken access controls in web applications and APIs, testing every endpoint for misconfigurations that allow low-privilege accounts to access admin panels, customer databases, or internal services they were never meant to reach.

This stage exploits the reality that most organizations have far more access control flaws than they realize. OWASP recorded over 318,000 occurrences of broken access control in its contributed dataset alone (OWASP Top 10). 

Attackers enumerate user roles, test for insecure direct object references, manipulate API parameters, and look for functions that fail to enforce authorization checks on the server side. 

They also target service accounts and shared credentials that often carry excessive permissions and are rarely monitored. Because these actions use legitimate application features rather than malware, they blend seamlessly into normal traffic and generate few alerts.

4. Gaining Administrator Privileges

Privilege escalation transforms a limited compromise into full administrative control. Attackers escalate from low-privilege accounts to domain admin or root access through password reuse, stolen authentication tokens, unpatched local vulnerabilities, or misconfigurations in group policies and permission hierarchies.

Once they reach administrative privileges, they can disable monitoring tools, delete or tamper with logs, modify security configurations, and access resources across the entire network without restriction.

This stage is often the point of no return. Elevation of privilege accounted for 40% of all Microsoft vulnerabilities in 2023 (BeyondTrust). Attackers exploit techniques like Kerberoasting, pass-the-hash, token impersonation, and abuse of misconfigured Active Directory delegation settings.

In cloud environments, they target IAM role misconfigurations, overly permissive policies, and metadata services that leak temporary credentials.

Organizations that lack privilege access management, fail to enforce least-privilege principles, or don’t monitor authentication anomalies often have no idea that an attacker has achieved full control until the damage is already done.

5. Moving Toward The Real Target

With elevated privileges in hand, attackers pivot through multiple systems to reach the assets that matter most. 

They hop from server to server, workstation to workstation, using compromised credentials, remote management tools, and trusted internal protocols while appearing as legitimate network traffic. 

Each lateral step brings them closer to databases, file servers, email systems, and cloud storage containing the data they came for.

The speed of lateral movement defines how much time defenders have to respond. CrowdStrike reported an average eCrime breakout time of just 48 minutes in 2024, giving security teams less than an hour to detect and contain an intrusion before it spreads across network segments. 

Attackers use built-in system tools like PowerShell, WMI, RDP, and SSH that don’t trigger antivirus alerts because they are legitimate administration tools. They map internal networks, identify domain trusts, and target systems where they expect high-value data to reside. 

Flat network architectures without segmentation allow attackers to move freely once they breach any single point, turning a localized compromise into an enterprise-wide incident.

Attackers pivot through multiple systems, hopping from server to server using compromised credentials while appearing as legitimate traffic. CrowdStrike reported an average eCrime breakout time of just 48 minutes in 2024, giving defenders less than an hour to detect and contain an intrusion before it spreads across network segments.

6. Finding And Collecting Valuable Data

Before any data leaves the network, attackers need to find it. They use automated tools and manual searching to locate customer records, login credentials, financial data, intellectual property, health records, and anything else with resale value or extortion potential across compromised systems. 

Mandiant observed file and directory discovery in 34.2% of its 2024 investigations, highlighting how consistently attackers invest time in cataloging what an organization has before deciding what to steal.

Attackers query databases directly, search file shares for documents containing keywords like “confidential,” “password,” or “SSN,” scan email archives for sensitive communications, and access cloud storage repositories. 

They stage the collected data in a central internal location, compressing and sometimes encrypting it to prepare for extraction. Because attackers copy rather than delete data during this phase, systems continue to function normally and no users lose access to their files. 

This makes discovery-stage activity exceptionally difficult to detect without data loss prevention tools, database activity monitoring, or anomaly detection on file access patterns.

7. Stealing The Data

Stealing the data, also known as, Exfiltration is the stage where the breach becomes irreversible. Data leaves the organization through transfers to attacker-controlled external servers, uploads to compromised cloud accounts, tunneling through encrypted channels, or even physical methods like USB drives. 

Mandiant identified evidence of data theft in 37% of its 2024 investigations, and the true figure is likely higher since many exfiltration events go undetected entirely.

Attackers disguise outbound data transfers by using common protocols like HTTPS, DNS tunneling, or legitimate cloud services such as file-sharing platforms and code repositories that security tools rarely block. They often schedule transfers during off-hours or throttle bandwidth to avoid triggering volume-based alerts. 

Once exfiltrated, data gets encrypted for ransom, sold on underground markets, used for identity theft, leveraged for competitive advantage, or leaked publicly to pressure payment. 

There is no guaranteed way to retrieve every copy once data leaves organizational control, and the downstream consequences can cascade for years as stolen information circulates, gets repackaged, and gets resold across criminal ecosystems.

8. Maintaining Access For Future Attacks

A breach does not end when the attacker gets what they came for. Sophisticated threat actors install backdoor accounts, deploy remote access trojans, plant web shells on internet-facing servers, modify scheduled tasks, and embed compromised credentials across multiple systems to ensure they can return even after the initial vulnerability is patched and the immediate incident is declared resolved.

Mandiant reported a global median dwell time of 11 days in 2024, meaning attackers typically operate inside compromised networks for nearly two weeks before detection. 

That extended window gives them ample time to entrench so deeply that complete removal may require rebuilding entire systems, reimaging servers, rotating every credential in the environment, and auditing every configuration change made during the compromise period. 

Organizations that focus only on closing the initial entry point without conducting a thorough investigation of persistence mechanisms often discover weeks or months later that the same attacker has returned through a door they left open.

Types of Data Breaches

Data breaches come in many forms, but they all exploit one thing: gaps in your defenses that leave sensitive information exposed.

The most typical security breaches include:

1. Social Engineering

Social engineering is a deceptive manipulation tactic where attackers impersonate trusted contacts to trick employees into revealing passwords, opening infected files, or approving fraudulent requests.

Social engineering accounts for 22% of all breach patterns, proving how effectively attackers weaponize human psychology over technical hacking. Business Email Compromise alone caused $2.77 billion in reported losses, showing how a single convincing email can drain accounts or expose entire networks.

The damage goes beyond immediate theft. Once attackers gain trust, they can pivot deeper into systems, steal customer data, or launch follow-up attacks that paralyze operations and destroy reputations.

2. Credential Theft

Credential theft occurs when attackers steal passwords or session tokens, then log in as legitimate users to access systems undetected.

Credential abuse is the most common way attackers initially breach organizations. Alarmingly, 30% of stolen credentials come from enterprise-licensed devices, meaning attackers are targeting corporate systems directly, not just personal accounts.

Once inside, a single compromised login can unlock email accounts, cloud dashboards, financial systems, and confidential databases, spreading damage across your entire infrastructure before anyone realizes the breach has occurred.

3. Ransomware

Ransomware is a crippling cyberattack where hackers steal sensitive data, encrypt critical systems, and demand payment to restore access or prevent public exposure of confidential information.

Ransomware appears in 44% of all breaches, making it one of the most pervasive threats businesses face today. The median ransom demand hits $115,000, yet 64% of victims refuse to pay, often because they know payment doesn’t guarantee recovery.

Beyond the ransom itself, businesses face devastating operational downtime, costly recovery efforts, regulatory penalties, and long-term trust erosion with customers who question whether their data is safe.

4. Exploited Vulnerabilities

Vulnerability exploits happen when attackers target unpatched flaws in internet-facing systems like VPNs, security gateways, and edge devices that protect your network perimeter.

Vulnerability exploitation now accounts for 20% of initial breach access, with edge devices and VPNs representing 22% of targeted systems. Worse, only 54% of edge device vulnerabilities get fully patched, with a median response time of 32 days, an eternity when attackers can infiltrate in minutes.

Delayed patching creates a dangerous window where attackers can establish footholds, steal credentials, and move laterally through networks before security teams even detect the intrusion.

5. Web Application Attacks

Web application breaches occur when attackers exploit weaknesses in login systems, access controls, or poorly secured endpoints to manipulate websites and steal data.

Basic web application attacks account for  9% of breach patterns, while API security issues represent 10% of cloud security incidents, showing how modern digital infrastructure creates new attack surfaces that traditional defenses struggle to protect.

These breaches can expose customer accounts, payment information, and proprietary business data, while also allowing attackers to inject malicious code that compromises every user who visits the site. Web app penetration testing usually help reduce the risk of such attacks.

6. Accidental Disclosure

Accidental disclosure breaches happen when employees mistakenly send sensitive data to the wrong recipient, attach incorrect files, or mishandle confidential records.

End users cause 87% of error-based breaches, with misdelivery accounting for 56% of errors in educational institutions. These aren’t malicious attacks. They’re simple human mistakes that create massive compliance exposure and legal liability.

The danger lies in how data leaves protected systems entirely without triggering security alerts, potentially landing in competitor hands, public forums, or locations where it can never be fully recovered.

7. Cloud Misconfigurations

Cloud misconfigurations occur when storage systems, identity controls, or network settings accidentally grant unintended access to sensitive data hosted in the cloud.

A staggering 61% of organizations experienced cloud security incidents in the past year, with configuration errors causing 12% of incidents and data security breaches leading at 21%, proving that rapid cloud adoption is outpacing security expertise.

Once misconfigured data becomes internet-accessible, attackers move fast to exfiltrate files before detection, stealing everything from customer records to intellectual property that took years to develop.

8. Third-Party Compromises

Third-party breaches happen when attackers compromise a vendor, supplier, or software provider, then use that trusted relationship to infiltrate customer networks or steal hosted data.

Breaches involving third parties doubled from 15% to 30% of all incidents, showing how interconnected business relationships create cascading vulnerabilities. When attackers steal credentials from a GitHub repository, it takes a median of 94 days to remediate, meaning months of exposure across multiple organizations.

A single compromised vendor can become a gateway to dozens of customer environments, multiplying the attack’s impact and making containment nearly impossible once the breach spreads.

9. Shadow AI and Tool Leakage

Shadow AI breaches occur when employees paste sensitive data into unauthorized AI tools, external services, or personal accounts that lack proper security controls.

Alarmingly, 15% of employees regularly use generative AI systems on corporate devices, with 72% accessing them through personal email accounts that bypass company security. Worse, 17% use corporate emails without integrated authentication, creating unmonitored data flows.

Confidential information, from financial projections to customer lists, persists in third-party platforms and logs indefinitely, creating long-term exposure that’s difficult to track, retrieve, or delete once it leaves your control.

How To Prevent A Data Breach

Preventing data breaches requires layered defenses that reduce unauthorized access, limit exposure, and shorten the time attackers can operate undetected. 

Here are the highest-impact strategies most organizations can implement immediately: 

1. Train Employees on Cybersecurity Best Practices

Breach prevention starts with your people. Before investing in advanced security tools, organizations need to address the everyday human actions that open the door to attackers in the first place.

Educate employees on how to recognize phishing emails, handle sensitive data properly, report suspicious activity, and follow established security protocols.

Human error is responsible for 87% of error-based breaches, and social engineering accounts for 22% of all breach patterns because it’s often far easier to trick someone into clicking a malicious link than it is to break through firewalls and encryption.

A single deceived employee can give an attacker the foothold they need to compromise an entire network.

Regular, ongoing training changes that equation.

When employees know what threats look like and how to respond, they stop being easy targets and start functioning as your first line of defense, building a culture where protecting data becomes a shared responsibility rather than something only the IT department thinks about.

2. Set Up MFA and Strengthen Access Controls

Stolen credentials are the single most common way attackers gain initial access in data breaches.

Once they have a valid username and password, they can walk right through the front door with what appears to be legitimate access, bypassing perimeter defenses and security monitoring entirely.

Start by requiring multi-factor authentication across all critical systems so that a stolen password alone isn’t enough to gain access.

Then eliminate weak authentication patterns by blocking reused passwords and checking credentials against known breach databases.

If a password has already appeared in a credential dump, it’s only a matter of time before an attacker tries it against your systems.

Access controls deserve equal attention, particularly around administrator accounts.

A compromised admin credential can unlock entire networks, disable security tools, erase audit logs, and allow data exfiltration across every connected resource.

Organizations should reduce standing admin privileges to the absolute minimum, granting elevated access only when needed and revoking it immediately after.

3. Back Up Critical Data With Testing

Ransomware now appears in 44% of breaches, and attackers are increasingly targeting backup systems first. By destroying or encrypting an organization’s recovery options before deploying ransomware, they eliminate every alternative to paying the ransom, giving themselves maximum leverage.

This is why backups need to be isolated from production networks entirely. If your backups sit on the same infrastructure as the systems they’re meant to protect, a single attack can wipe out both at once.

Keep protected copies in environments that attackers can’t reach through lateral movement, and ensure at least one backup exists offline or in immutable storage.

Just as important, test your restore procedures regularly. Untested backups fail when they’re needed most, leaving organizations facing impossible choices between paying ransoms, accepting permanent data loss, or spending weeks manually reconstructing operations from incomplete records.

A backup that can’t be restored under pressure isn’t a backup at all.

4. Manage Third Party Risk

Third-party breaches have doubled in recent years, jumping from 15% to 30% of all incidents. Attackers have learned that compromising a single vendor can give them access to dozens of customer organizations at once through shared access points and trusted network connections.

Rather than attacking each target individually, they exploit one weak link in the supply chain and let that access cascade outward.

What makes these breaches especially difficult to detect is that the traffic looks legitimate. When an attacker operates through a compromised vendor’s existing connections, their activity blends in with normal partner communications and bypasses security controls designed to flag outside threats.

Organizations should limit third-party access to only the systems a vendor genuinely needs, evaluate supplier security controls before granting any access, and continuously monitor supply chain risks across all products and services.

Treating every vendor relationship as a potential attack surface, and requiring independent assurance such as a SOC 2 report from critical suppliers, reduces the risk that a partner’s weakness becomes your own.

5. Monitor Network Traffic for Anomalies

Without solid monitoring in place, most organizations don’t discover a breach until something forces it to the surface: a customer complaint, a regulatory inquiry, a ransom note. By that point, attackers have had free rein for months.

The numbers confirm this. When detection capabilities are weak, the average breach takes 292 days to identify and contain, nearly ten months for an attacker to explore your network, steal data, and dig in deep enough that removal becomes its own project.

Comprehensive logging and alerting cuts that window dramatically. Collect security logs from critical systems and set up alerts for the kinds of activity that signal an attacker is already inside: privilege escalation, unusual login patterns, bulk data access.

These aren’t theoretical warning signs. They’re the exact behaviors that show up in breach after breach, and catching them early is what separates a contained incident from a front page story.

Don’t overlook log integrity either. Sophisticated attackers will try to erase or alter audit trails to cover their movements, and if they succeed, your incident response team loses the ability to piece together what actually happened and how far the damage extends.

6. Run Enterprise Patch Programs

Every time a vulnerability is publicly disclosed, a clock starts ticking. Attackers routinely move from reading a disclosure to actively exploiting the flaw in days, sometimes hours.

Unpatched vulnerabilities account for 20% of initial breach access, and the frustrating reality is that fixes already exist for these flaws. The gap between a patch being available and actually being deployed is essentially a window where organizations are vulnerable by choice.

Set clear time targets for how quickly critical, high, and medium severity patches get applied. Automate deployment wherever practical so patching doesn’t depend on someone remembering to do it, and verify installation afterward to make sure nothing slipped through.

The goal isn’t perfection. It’s closing that window fast enough that attackers move on to easier targets.

7. Lock Down Internet-Facing Systems

Anything connected directly to the internet is going to get probed. That’s not a possibility, it’s a certainty. Edge devices and VPNs are particularly attractive targets, representing 22% of exploited vulnerability targets because they combine direct internet exposure with elevated privileges.

A misconfigured remote access portal or a forgotten test server can hand an attacker everything they need to bypass your firewall and pivot into internal systems within hours.

Reduce the number of exposed services to the bare minimum. Audit access control configurations regularly and apply secure defaults rather than relying on teams to manually harden every new deployment. If a system doesn’t need to face the internet, it shouldn’t.

8. Secure Web Applications and APIs

Modern infrastructure has shifted the attack surface. Basic web application attacks make up 9% of breach patterns, and API security issues cause 10% of cloud security incidents. These aren’t exotic attack vectors.

They’re the predictable consequence of building customer portals, payment systems, and backend services that are accessible over the internet, often without the same scrutiny that traditional network infrastructure receives.

Broken access control is the core issue. When server-side authorization isn’t enforced on every request, attackers can manipulate API calls to access other users’ accounts, escalate their own privileges, or pull data from endpoints that were never meant to be publicly reachable.

The worst part is that these vulnerabilities are automatable. A single attacker can probe thousands of targets simultaneously, which means a flaw that seems minor in isolation can be exploited at massive scale before anyone notices.

Treat access control as a top engineering priority throughout development and deployment, not something that gets bolted on during a final security review.

9. Centralize Logging and Monitoring

There’s significant overlap between this and monitoring network traffic, but the focus here is architectural. It’s not enough to have logging enabled on individual systems if those logs sit in isolation where no one is correlating them.

Centralized logging gives security teams a single view across the entire environment, which is what makes it possible to spot patterns that would be invisible when looking at any one system alone.

The 292 day average time to identify and contain a breach reflects what happens when this capability is missing.

Attackers move laterally, escalate privileges, and exfiltrate data across multiple systems, and if each of those systems is logging independently with no central aggregation, the full picture never materializes until something catastrophic forces discovery.

Configure alerts for high-risk activities like privilege escalation and bulk data access, and protect log integrity so that attackers can’t erase the evidence.

If your logs can be tampered with, your incident response team is working with an incomplete and potentially misleading picture of what actually happened.

10. Prepare Incident Response Plans

Every organization assumes they’ll handle a breach rationally when it happens. Almost none of them do without preparation.

The chaos of an active incident, systems going offline, executives demanding answers, customers asking questions, creates pressure that leads to reactive, poorly coordinated decisions that often make things worse.

Documented response procedures eliminate that uncertainty. Teams should know before a crisis hits who makes which decisions, how containment is handled, when legal and communications get involved, and at what point law enforcement should be contacted.

That last point matters more than most companies realize: involving law enforcement in ransomware incidents cuts breach costs by roughly $1 million and shaves 16 days off response time. But those benefits only materialize if the decision to engage authorities is already baked into the plan, not debated in real time while systems are burning.

Run tabletop exercises regularly with the actual stakeholders who would be involved. A plan that lives in a document nobody has read is barely better than no plan at all. Cyber threat intelligence is also a highly effective method that can improve your incident response plan.

How Bright Defense SOC 2 Consultation Strengthens Data Breach Prevention

Bright Defense SOC 2 consultation strengthens breach prevention through a continuous compliance program that turns security controls into documented, testable safeguards. We conduct a focused gap analysis and risk assessment to expose weaknesses tied to common breach paths, then help implement strong access controls, vendor oversight, incident response procedures, and business continuity planning.

With managed compliance automation, security awareness training, phishing simulations, and vCISO guidance, your controls stay active and measurable. The result is reduced breach risk, clearer accountability, and audit-ready proof that your security program works.

The True Cost Of A Data Breach 

The same layout reads cleaner when the bullets keep one main number each and swap in the updated IBM Cost of a Data Breach Report 2025 figures. Analyzing data from 600 organizations impacted by breaches between March 2024 and February 2025, this report explains the financial and operational impact of data breaches across industries.

• The global average cost of a data breach is $4.44 million. United States breaches average $10.22 million per incident.
• Malicious insider attacks were the most expensive at $4.92 million per incident. Third party vendor and supply chain compromise followed closely at $4.91 million.
• Shadow AI added $670,000 to the average breach cost for organizations with high levels of shadow AI. Shadow AI security incidents accounted for 20% of breaches.
• Organizations that used security AI and automation extensively reduced breach costs by $1.9 million. Extensive use lowered average breach cost to $3.62 million versus $5.52 million with no use.
• Customer PII was the most targeted data type at 53% of breaches. Intellectual property was the most costly at $178 per record.
• The mean time to identify and contain a breach is 241 days. Mean time to identify is 181 days and mean time to contain is 60 days.
• Healthcare remained the costliest industry at $7.42 million per breach. Healthcare breaches took 279 days to identify and contain.

• Explore additional verified data breach statistics and key figures in our Data Breach Statistics article.

What Attackers Can Do With Stolen Data

Stolen data doesn’t just sit in a database. Attackers weaponize it immediately to take over accounts, steal money, impersonate victims, extort organizations, and resell access to other criminals who launch follow-on attacks.

Here’s how stolen data gets exploited:

1. Take Over Accounts And Break Into More Systems

Attackers use stolen usernames, passwords, and login credentials to sign in as legitimate users, then expand access across email accounts, cloud consoles, and internal applications without triggering security alerts.

Compromised credentials serve as an initial access vector in 22% of breaches, with credential stuffing attacks representing a median 19% of daily authentication attempts in SSO provider logs, proving how relentlessly attackers try stolen passwords across multiple platforms.

Once inside, attackers can escalate privileges, steal additional credentials, access confidential data, and move laterally through networks for months before detection, using legitimate access to mask their malicious activity.

2. Steal Money Through Impersonation And Payment Fraud

Attackers leverage stolen email access, contact history, and organizational context to impersonate executives, vendors, or finance staff and redirect wire transfers or approve fraudulent payments.

Business Email Compromise caused $2.77 billion in losses during 2024 alone, representing scams executed after attackers compromised email accounts and used real communication patterns to deceive victims into sending money.

These attacks succeed because stolen emails contain authentic conversations, organizational hierarchies, payment processes, and business relationships that make fraudulent requests nearly impossible to distinguish from legitimate ones.

3. Commit Identity Theft And Open New Accounts

Attackers use stolen personal information like Social Security numbers, birth dates, addresses, and credit histories to open fraudulent credit accounts, apply for loans, or abuse existing financial relationships in victims’ names.

Identity theft scenarios allow criminals to open new credit cards, take out mortgages, file false tax returns, or access medical services, all while the victim remains unaware until debt collectors appear or credit scores plummet.

Victims can spend years disputing fraudulent charges, repairing credit damage, and proving they didn’t authorize accounts, while attackers have already moved on to exploit the next batch of stolen identities.

4. Extort Victims With Data Exposure Threats

Attackers threaten to publicly release confidential data, customer records, or embarrassing internal communications to pressure organizations into paying ransoms, even when systems aren’t encrypted.

Ransomware groups increasingly use double extortion tactics, stealing and threatening to post victim data publicly as additional leverage beyond encrypting systems, knowing that data exposure alone can destroy reputations and trigger regulatory penalties.

The threat of publication creates impossible choices for organizations. Paying doesn’t guarantee deletion, refusing risks public exposure, and either path validates the attacker’s business model while encouraging future attacks.

5. Sell Stolen Data And Access To Other Criminals

Attackers monetize stolen data through underground marketplaces and dark web forums, turning a single breach into revenue streams that fund operations and enable countless follow-on attacks by other criminals.

Ransomware groups sell stolen data in cybercriminal forums for additional revenue beyond ransom payments, creating secondary markets where credentials, customer databases, and corporate secrets change hands repeatedly.

Each sale multiplies the damage because new attackers use purchased data to launch fresh campaigns targeting the same victims or related organizations, ensuring stolen information continues causing harm long after the initial breach.

6. Cause Long-Term Damage After Data Leaves Your Control

Attackers exploit stolen customer records, internal documents, and proprietary information for sustained fraud campaigns, targeted manipulation, industrial espionage, or competitive advantage that compounds over time.

Once data reaches unauthorized parties, there is no guaranteed method to retrieve every copy. Files get duplicated, shared, archived, and distributed across systems worldwide, making complete remediation functionally impossible.

Stolen intellectual property can fuel competitor products, leaked customer data enables years of targeted phishing, and exposed strategic plans allow rivals to undercut pricing or poach clients, creating permanent competitive disadvantages that persist indefinitely.

What Are the Common Data Breach Targets

Attackers don’t go after data at random. They focus on assets that provide the fastest path to monetization, deeper network access, or extortion leverage.

Here are the most common targets and why each one matters.

1. Credentials and Login Information

A single valid username and password can unlock email accounts, cloud consoles, and internal applications without triggering perimeter defenses.

Attackers who obtain session tokens or authentication artifacts can impersonate legitimate users, hijack active sessions, and operate during normal business hours when their activity blends in with authorized traffic.

Verizon’s 2025 DBIR found that infostealer credential logs identified 30% of compromised systems as enterprise licensed devices, confirming that workplace logins remain a primary target.

2. Customer Personal Information

Customer personally identifiable information (PII) such as Social Security numbers, driver’s license numbers and contact details fuels identity theft, account fraud, and underground market resale.

It’s the data type attackers encounter most frequently: IBM’s Cost of a Data Breach Report 2025 found that customer PII was involved in 53% of breaches studied.

Beyond the immediate theft, compromised customer data triggers mandatory breach notifications, regulatory investigations, litigation exposure, and long-term trust erosion that can follow an organization for years.

3. Internal Business Documents

HR files, contracts, strategic plans, source code and operational records give attackers something beyond direct financial gain: leverage.

When confidential communications or sensitive plans are in an attacker’s hands, they become extortion material that pressures organizations into ransom payments.

IBM’s 2025 report found that intellectual property was compromised in 33% of breaches tracked in its data type analysis.

Internal documents also enable follow on fraud and competitive intelligence gathering that can cause damage long after the initial breach is contained.

4. Payment and Financial Data

Credit card numbers, bank account details, and payment processing credentials support immediate monetization through fraudulent purchases, chargeback abuse, and direct account drains that begin within hours of theft.

Verizon’s 2025 DBIR Retail Snapshot found that payment data was compromised in 12% of retail breaches analyzed.

The financial damage extends well beyond the initial fraud, with card reissuance costs, fraud investigations, and dispute handling creating downstream losses that persist long after containment.

5. Medical and Health Records

Protected health information is uniquely valuable because it contains high density personal information bundled together in a single record: diagnoses, treatment histories, insurance details, and Social Security numbers.

This combination supports long term identity theft, insurance fraud, and targeted extortion. Verizon’s 2025 DBIR found that medical data was compromised in 45% of healthcare breaches highlighted in its industry analysis.

Unlike a stolen credit card number, a medical history cannot be reissued or replaced, creating permanent privacy harm that outlasts typical financial remediation.

Read our healthcare data breach statistics article to see verified data on how breaches are impacting hospitals, insurers, and patient records across the industry.

6. API Keys and Security Secrets

API keys, encryption keys, access tokens, and service credentials act as digital master keys that grant direct system access bypassing normal login controls entirely.

A single leaked key can enable database access, service impersonation, and large scale data extraction that appears completely legitimate at the protocol level.

GitGuardian’s State of Secrets Sprawl 2025 report detected 23.8 million new secrets in public GitHub commits in 2024 alone, illustrating how frequently sensitive access material leaks into environments attackers actively monitor.

7. Internet Facing Systems

VPNs, security gateways, and edge devices sit at the network perimeter, and that positioning makes them high leverage targets.

Compromising a single exposed edge system can give attackers a pivot point into internal services that were never designed to be reachable from the internet.

Verizon’s 2025 DBIR found that edge devices and VPNs accounted for 22% of targets in its exploitation of vulnerabilities analysis, highlighting how often the infrastructure meant to protect a network becomes the doorway to the largest data breach an organization has ever faced.

8. Web Applications & APIs

Authorization flaws and insecure direct object access in web applications let attackers expose large datasets quickly with no malware deployment required.

A single access control failure can expose entire customer databases through automated enumeration of predictable identifiers and weak server side checks.

OWASP’s Top 10 (2021) recorded over 318,000 occurrences of Broken Access Control in its contributed dataset, reinforcing how common authorization failures remain in real world application testing.

The Impact Of Data Breaches

Data breaches trigger immediate financial losses, operational disruption, legal exposure, and long-term damage that affects both customers and the organization itself.

The consequences below show what typically follows once corporate data leaves your control:

1. Financial Costs Hit Immediately

Direct breach costs include investigation, containment, remediation, legal support, mandatory notifications, and customer support services that drain budgets the moment a breach is discovered.

IBM’s Cost of a Data Breach Report 2025 puts the global average cost per breach at USD 4.44 million, with U.S. organizations facing even steeper expenses at $10.22 million per incident. These costs come from forensic investigators, legal counsel, implementing fixes, and crisis communications.

The financial impact doesn’t stop with response costs. Organizations face lost revenue from system downtime, canceled contracts, insurance premium increases, and long-term stock price damage that persists for years.

2. Fraud And Theft Losses Multiply

Stolen identities, credentials, bank account numbers and payment details get immediately weaponized for additional crimes, multiplying financial damage far beyond the initial breach.

The FBI IC3 reports $16.6 billion in total cybercrime losses for 2024, with USD 2.77 billion tied to Business Email Compromise alone and $1.45 billion from personal data breach complaints. These figures represent only reported losses, meaning actual damage is likely far higher.

Each stolen credential or identity can fuel dozens of fraudulent transactions, account takeovers, and selling data on dark web markets, creating cascading financial harm that spreads across victims for months or years.

3. Operations Grind To A Halt

Systems must be taken offline for containment, forensic investigation, rebuilds, and enhanced monitoring, forcing organizations to operate with degraded capabilities or complete shutdowns.

IBM reports a 241 day mean time to identify and contain a breach in the 2025 cohort, meaning organizations often endure months of degraded operations before returning to normal.

Ransomware attacks can severely disrupt critical infrastructure, causing significant losses when production lines stop, supply chains break, and essential services become unavailable.

Operational downtime creates compound losses as employees sit idle, revenue stops flowing, delivery commitments get missed, and customers turn to competitors who can actually fulfill orders.

4. Legal And Regulatory Consequences Follow

A security violation involving breached data under privacy regulations triggers mandatory reporting requirements, government agencies launching investigations, regulatory penalties, and class action lawsuits.

DLA Piper reports an aggregate EUR 1.2 billion in GDPR fines issued across Europe in 2024 alone, illustrating the scale of regulatory exposure organizations now face.

Organizations face consequences from multiple regulators simultaneously when breaches cross jurisdictions, creating overlapping compliance obligations and penalty exposure.

Legal impacts extend for years as litigation drags through courts, settlements get negotiated, and consent orders impose ongoing compliance monitoring that requires sustained investment in controls and auditing.

5. Customer Trust Evaporates

Public disclosure of breaches destroys trust as customers, partners, and stakeholders question whether their personal health information and sensitive files are safe.

Cisco’s 2024 Consumer Privacy Survey found that 75% of consumers say they will not purchase from organizations they do not trust with their data, putting real numbers behind the revenue risk of lost confidence.

Reputation damage represents a core breach impact because trust, once broken, takes years to rebuild.

Customers abandon brands they view as careless with personal data, choosing competitors who haven’t suffered public breaches.

The churn isn’t limited to direct customers. Partners reconsider relationships, vendors demand additional security controls, investors question leadership competence, and talented employees leave for organizations with stronger security reputations.

6. Security Risks Compound Over Time

Compromised credentials and vendor access often remain active long after breaches, creating persistent vulnerabilities that enable repeat incidents and follow on attacks.

Without strong data breach prevention and prevention and response strategies, organizations remain exposed indefinitely.

Verizon’s 2025 DBIR reports ransomware presence in 44% of breaches, third party involvement that doubled from 15% to 30% year over year, and human element involvement near 60%, showing how many data breaches create conditions for additional incidents.

Organizations that fail to fully remediate root causes face recurring incidents as attackers return through the same entry points and target the same vulnerabilities that enabled the original breach.

Tools for Data Breach Detection & Response

Security teams need the right mix of tools for monitoring, investigation, containment, and recovery. Here’s a streamlined guide to the key categories and leading solutions.

1. Centralized Logging & SIEM

Aggregate logs from every corner of your environment, including servers, endpoints, cloud services, and network devices, then correlate those events in real time to surface attack patterns and anomalies that would otherwise go unnoticed.

Without centralized logging in place, security teams are effectively operating blind, unable to piece together the full picture of what’s happening across their infrastructure.

Tools: Splunk Enterprise Security · Microsoft Sentinel · IBM QRadar

2. Endpoint Detection & Response (EDR/XDR)

Continuously monitor endpoint devices for signs of malicious processes, credential theft, lateral movement, and other indicators of compromise at the host level.

These solutions provide deep visibility into what’s actually executing on your machines, dramatically reducing detection time from what used to take months down to just minutes, giving your team the speed advantage they need to contain threats before they spread.

Tools: CrowdStrike Falcon · Microsoft Defender for Endpoint · SentinelOne Singularity

3. Network Detection & Response (NDR)

Analyze network traffic patterns and communications flows to identify lateral movement, data exfiltration attempts, and command-and-control channels that often slip past traditional endpoint defenses entirely.

NDR solutions fill a critical visibility gap by watching what moves between systems, catching threats that are specifically designed to evade host-based detection tools.

Tools: Vectra AI · Darktrace · ExtraHop Reveal(x)

4. Identity Threat Detection & Response (ITDR)

Detect and respond to suspicious sign-in activity, credential stuffing campaigns, privilege escalation, and identity misuse across your authentication infrastructure.

Given that credential abuse accounts for roughly 22% of initial breach access, protecting the identity layer has become one of the most important, and frequently overlooked, areas of modern security operations.

Tools: Microsoft Entra ID Protection · Okta ThreatInsight · CrowdStrike Identity Protection

5. Security Orchestration & Automation (SOAR)

Automate the triage of incoming alerts, execute predefined response playbooks, and coordinate complex multi-tool workflows that would otherwise require tedious manual effort.

SOAR platforms cut critical hours from your incident response timelines by handling the repetitive, time-sensitive tasks that slow teams down, freeing analysts to focus on the decisions that actually require human judgment.

Tools: Palo Alto Cortex XSOAR · Splunk SOAR · IBM Security SOAR

6. Data Loss Prevention (DLP)

Monitor and block the unauthorized exposure of sensitive data across endpoints, email channels, and cloud storage environments.

DLP serves as the last line of defense when attackers have already gained access to your network, ensuring that even if they breach the perimeter, they can’t easily walk away with your most critical and regulated data assets.

Tools: Microsoft Purview DLP · Symantec DLP · Forcepoint DLP

7. Cloud Security (CSPM/CWPP/CNAPP)

Flag risky misconfigurations, monitor running workloads for threats, and close exposure windows across your cloud environments before attackers can exploit them.

With 61% of organizations reporting cloud security incidents last year, having purpose-built tooling for cloud infrastructure is no longer optional. It’s a fundamental requirement for any organization with meaningful cloud adoption.

Tools: Wiz · Prisma Cloud · Microsoft Defender for Cloud

8. Email Security & Phishing Defense

Block malicious messages before they reach user inboxes, sandbox suspicious attachments in isolated environments, and inspect embedded links at the moment of click to prevent credential harvesting and malware delivery.

Email continues to be the number one attack vector, responsible for roughly 22% of breaches, making robust email security one of the highest-impact investments a security team can make.

Tools: Proofpoint · Microsoft Defender for Office 365 · Mimecast

9. Vulnerability & Exposure Management

Continuously scan your environment for exploitable weaknesses across systems, applications, and configurations, then prioritize remediation based on real-world threat intelligence and actual exploitability.

With exploitation of known vulnerabilities driving approximately 20% of initial access in breaches, having a mature vulnerability management program is essential for reducing your organization’s overall attack surface.

Tools: Tenable · Qualys VMDR · Rapid7 InsightVM

10. Digital Forensics & Incident Response (DFIR)

Capture volatile memory, disk images, and system artifacts to reconstruct exactly what happened during a security incident, how the attacker got in, and what they accessed.

Speed is critical here as forensic evidence must be collected quickly and methodically before attackers have a chance to cover their tracks, destroy logs, or wipe compromised systems.

Tools: Velociraptor · FTK · EnCase

11. Case Management

Track the full lifecycle of security incidents, including evidence, analyst decisions, escalation paths, and team coordination, with structured, audit-ready documentation that holds up under scrutiny from regulators, legal counsel, and executive leadership.

Good case management ensures nothing falls through the cracks during high-pressure incidents and provides the institutional memory your team needs to improve over time.

Tools: ServiceNow SecOps · TheHive · Jira Service Management

12. Threat Intelligence

Enrich incoming alerts with adversary context, behavioral patterns, indicators of compromise, and campaign-level insights from the broader threat landscape.

Threat intelligence transforms raw, noisy alerts into actionable and prioritized intelligence, helping analysts understand not just what happened, but who is behind it, what their objectives are, and what they’re likely to do next.

Tools: MISP · Recorded Future · Anomali ThreatStream

Real-World Data Breach Examples And Their Financial Repercussions

Data breaches can have severe financial consequences for organizations. 

The following cases illustrate the real costs companies have faced after major security incidents: 

1. SK Telecom Data Breach

SK Telecom is one of South Korea’s largest telecommunications providers, serving tens of millions of mobile subscribers and operating the nationwide connectivity infrastructure that underpins both consumer communications and enterprise operations.

The estimated financial damage from the 2025 incident reached approximately $5 billion over three years, tied to a publicly discussed scenario involving early termination fee waivers for affected customers.

Source: Techcrunch

2. Bybit Data Breach

Bybit is a global cryptocurrency exchange supporting high-volume digital asset trading and custody, where the strength of security controls directly determines the safety of customer funds and platform stability.

The 2025 incident resulted in approximately $1.5 billion in stolen virtual assets, which federal investigators attributed to North Korea.

Source: Internet Crime Complaint Center

3. Marks & Spencer Data Breach

Marks & Spencer is a major UK retailer selling clothing, food, and home products through physical stores and a large e-commerce operation, all supported by complex logistics and customer-facing systems.

The 2025 incident carried an expected profit impact of approximately £300 million, driven by prolonged operational disruption and recovery costs.

Source: The Register

4. United Natural Foods Data Breach

United Natural Foods Inc. is a major North American food distributor supplying grocery and retail chains through distribution centers and high-frequency ordering systems.

The 2025 incident produced an estimated $350 million to $400 million impact on fiscal 2025 net sales, along with additional estimated hits to net income and adjusted EBITDA.

Source: United Natural Foods Inc.

5. Coinbase Data Breach

Coinbase is a publicly traded digital asset platform providing trading and related services involving customer accounts, identity data, and regulated compliance processes.

The 2025 incident carried a preliminary estimated cost of $180 million to $400 million, encompassing remediation expenses and voluntary customer reimbursements.

Source: Sec.Gov

6. Co-operative Group Data Breach

The Co-operative Group, known as Co-op, is a UK member-owned retailer and services organization operating supermarkets and other consumer services at national scale.

The 2025 incident resulted in an £80 million hit to first-half operating profit, with the full-year impact estimated at £120 million.

Source: The Guardian

7. AT&T Data Breach

AT&T is one of the largest US telecommunications providers, serving consumer and enterprise customers across wireless, broadband, and network services.

The financial fallout from two major 2024 breaches culminated in a $177 million class action settlement fund, with claim deadlines and payout details published for eligible class members.

Source: Open Class Action 

8. Oracle E-Business Suite Data Breach

Oracle E-Business Suite is an enterprise platform used for core business operations including finance, procurement, supply chain, and HR—placing it in close proximity to highly sensitive operational records.

The 2025 extortion campaign included a documented ransom demand reaching $50 million in at least one reported case.

Source: Bleeping Computer 

9. Victoria’s Secret Data Breach

Victoria’s Secret is a global retail brand with a significant direct-to-consumer business supported by web sales, customer accounts, and fulfillment operations.

The 2025 incident caused an approximately $20 million negative impact on direct net sales, stemming from a prolonged website closure triggered by the security event.

Source: Sec.Gov

10. Jaguar Land Rover — Financial Damage and Description

Jaguar Land Rover is a multinational automaker with a large manufacturing footprint and a broad supplier ecosystem that depends on stable production schedules and timely payments to keep parts flowing.

In response to the 2025 cyberattack disruption, the UK government extended a loan guarantee expected to unlock up to £1.5 billion to stabilize the automaker’s supply chain.

Source: Gov.UK

Data breaches happening every day & every hour! Stay informed with our latest breach reports and analysis.

FAQs

Sources

1. IBM Security. Cost of a Data Breach Report 2025. 2025. Reports a global average data breach cost of USD 4.44 million in 2024 to 2025, with U.S. average costs exceeding USD 10 million due to regulatory penalties. https://www.bakerdonelson.com/webfiles/Publications/20250822_Cost-of-a-Data-Breach-Report-2025.pdf
2. Palo Alto Networks Unit 42. Incident Response Report 2026. 2026. Finds threat actors begin scanning for newly disclosed vulnerabilities within approximately 15 minutes of CVE publication. https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
3. HIPAA Journal. Summary of Verizon 2025 Data Breach Investigations Report. 2025. States compromised credentials caused 22 percent of breaches, exploited vulnerabilities accounted for 20 percent, only 54 percent of systems were fully patched, and median remediation time was 32 days. https://www.hipaajournal.com/verizon-dbir-2025/
4. Beyond Identity. Access Is Still the Point of Failure: Verizon DBIR 2025 Analysis. 2025. Notes 22 percent of breaches began with credential abuse, 16 percent with phishing, 20 percent with exploited device vulnerabilities representing a 34 percent increase, and 46 percent of compromised devices were unmanaged or bring your own devices. https://www.beyondidentity.com/resource/verizon-dbir-2025-access-is-still-the-point-of-failure
5. Verizon. 2025 DBIR SMB Snapshot. 2025. Confirms exploitation of vulnerabilities rose to 20 percent of initial access vectors, only 54 percent of edge device vulnerabilities were remediated with a 32 day median, ransomware appeared in 44 percent of breaches, 64 percent of victims refused payment, 30 percent of compromised devices were enterprise licensed, and 46 percent were unmanaged. https://www.verizon.com/business/resources/infographics/2025-dbir-smb-snapshot.pdf
6. ISSA Nova. Verizon 2024 DBIR Presentation. 2024. Shows misdelivery accounted for 56 percent of error driven breaches in educational institutions, while loss and classification errors represented 19 percent and 10 percent respectively. https://www.issa-nova.org/wp-content/uploads/2024/06/2024_Data_Breach_Investigations_Report_Presentation.pdf
7. BeyondTrust. Microsoft Vulnerabilities Report 2024. 2024. Reports elevation of privilege flaws represented 40 percent of Microsoft vulnerabilities in 2023, totaling 490 of 1,230 disclosures. https://assets.beyondtrust.com/assets/documents/BT_whitepaper_Microsoft-Vulnerabilities-Report-2024.pdf
8. Finite State. OWASP Top 10 2021 Webinar Summary. 2024. States broken access control remained a leading weakness, with approximately 3.81 percent of tested applications containing related CWEs and more than 318,000 occurrences identified. https://finitestate.io/blog/owasp-top-10-2021-webinar
9. GraVoc. CrowdStrike Global Threat Report 2025 Summary. 2025. Reports average eCrime breakout time fell to 48 minutes in 2024, with the fastest observed breakout occurring in 51 seconds. https://www.gravoc.com/2025/04/02/malware-free-attacks-shorter-breakout-time-why-you-need-adversary-simulation-testing/
10. Google Mandiant. M Trends 2025. 2025. States global median dwell time increased to 11 days in 2024, data theft evidence appeared in 37 percent of investigations, and the ATT and CK technique File and Directory Discovery appeared in 34.2 percent of cases. https://services.google.com/fh/files/misc/m-trends-2025-en.pdf
11. Watchdog Cyber Defense. Social Engineering Threat Analysis. 2025. Reports social engineering accounted for approximately 22 percent of external actor breaches and that 68 percent of breaches involved human error or manipulation. https://watchdogcyberdefense.com/2025/10/hackers-dont-need-to-break-in-they-just-need-to-trick-you-the-unseen-battleground-of-social-engineering/
12. Breached Company. Summary of FBI 2024 IC3 Report. 2025. States total cybercrime losses reached USD 16.6 billion, including USD 2.77 billion from business email compromise and USD 1.45 billion from personal data breaches. https://breached.company/the-2024-ic3-report-record-cybercrime-losses-highlight-escalating-digital-threats/
13. Cybersecurity Insiders. 2024 Cloud Security Report. 2024. Reports 61 percent of organizations experienced at least one cloud security incident, data exposure incidents accounted for 21 percent, and cloud incidents increased from 24 percent year over year. https://www.cybersecurity-insiders.com/2024-cloud-security-report-checkpoint/
14. SC Media. Cloud Security Incidents Rise 61 Percent. 2024. Reports nearly two thirds of organizations experienced a cloud security incident, with misconfiguration and identity management weaknesses cited as primary causes. https://www.scworld.com/brief/cloud-security-incidents-rise-61-as-misconfigurations-identity-risks-grow
15. Flare. Stolen Credentials in Cybercrime: Insights from DBIR 2025. 2025. Reports 30 percent of compromised devices in infostealer logs were enterprise licensed, 46 percent were unmanaged, credentials appeared in 54 percent of ransomware incidents, and 40 percent of logs contained corporate email addresses. https://flare.io/learn/resources/blog/stolen-credentials-in-cybercrime-insights-2025-verizon-dbir/
16. HelpNetSecurity. State of Secrets Sprawl 2025 Coverage. 2025. Reports 23.8 million secrets were exposed on public GitHub repositories, 58 percent were generic tokens, and 70 percent of secrets leaked in 2022 remained active. https://www.helpnetsecurity.com/2025/03/19/report-the-state-of-secrets-sprawl-2025/
17. The420.in. SK Telecom Breach Cost Projection. 2025. Reports projected losses exceeding KRW 7 trillion over three years, equivalent to roughly USD 5 billion, and potential customer churn of up to 2.5 million subscribers. https://the420.in/half-of-south-korea-hit-sk-telecoms-worst-data-breach-in-history/
18. Wilson Center. Bybit Heist Analysis. 2025. Reports North Korean actors stole approximately USD 1.5 billion in Ethereum from Bybit on February 21, 2025. https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now
19. The Guardian. Marks and Spencer Cyber Attack Impact. 2025. Reports expected annual profit reduction of approximately GBP 300 million due to the cyber attack. https://www.theguardian.com/business/2025/may/21/cyber-attack-cost-marks-and-spencer-lost-sales-company-results-reveal
20. Recorded Future News. Marks and Spencer Profit Loss Coverage. 2025. Reports profits fell to GBP 3.4 million from GBP 391.1 million in the first half of 2025 and forecasts a GBP 300 million annual impact. https://therecord.media/marks-spencer-profits-wiped-out-cyberattack
21. SecurityWeek. United Natural Foods Cyber Attack Impact. 2025. Reports projected net sales impact of USD 350 million to USD 400 million, net income reduction of USD 50 million to USD 60 million, and adjusted EBITDA decrease of USD 40 million to USD 50 million. https://www.securityweek.com/united-natural-foods-projects-up-to-400m-sales-hit-from-june-cyberattack/
22. Reuters. Coinbase Cyber Attack Disclosure. 2025. Reports projected financial impact between USD 180 million and USD 400 million following compromise of certain customer accounts. https://www.reuters.com/business/coinbase-says-cyber-criminals-stole-account-data-some-customers-2025-05-15/
23. Reuters. Co Operative Group Cyber Attack Impact. 2025. Reports revenue reduction of GBP 206 million, profit reduction of GBP 80 million, and projected full year impact of GBP 120 million. https://www.reuters.com/world/uk/britains-co-op-says-cyberattack-cost-it-108-million-2025-09-25/
24. PR Newswire. AT and T Data Incident Settlement Notice. 2025. Reports total settlement fund of USD 177 million, consisting of USD 149 million for the first incident and USD 28 million for the second. https://www.prnewswire.com/news-releases/att-data-incident-settlement-notice-177-million-settlement-fund-for-eligible-claimants-302521008.html
25. CyberScoop. Cl0p Extortion Campaign Against Oracle Customers. 2025. Reports ransom demands ranging from USD 50,000 to USD 50 million. https://cyberscoop.com/oracle-customers-attacks-clop-google-mandiant/
26. RetailTouchPoints. Victoria Secret Cyber Attack Impact. 2025. Reports expected USD 20 million reduction in second quarter net sales following the May 2025 cyber attack. https://www.retailtouchpoints.com/topics/security/data-security/victorias-secret-latest-hit-in-growing-swath-of-retail-cyber-attacks
27. UK Government. Jaguar Land Rover Loan Guarantee Announcement. 2025. Reports UK government backed a GBP 1.5 billion loan guarantee after cyber disruption halted production. https://www.gov.uk/government/news/government-backs-jaguar-land-rover-with-15-billion-loan-guarantee