The 2024 Verizon DBIR recorded 10,626 confirmed breaches across 94 countries. The number roughly doubled from 2022. Here is what is actually driving it, and why the trend is structural rather than cyclical.
I came back to the Verizon Data Breach Investigations Report numbers this week and the 10,626 confirmed breach count is still hard to process. That figure comes from 30,458 total security incidents across 94 countries, reported at https://www.verizon.com/business/resources/reports/dbir/, and it represents roughly double the confirmed breach count Verizon recorded in 2022. My first instinct was that "twice as many breaches" might partly reflect better detection and reporting rather than twice as much actual breaching. That instinct turns out to be partially right, but not in the way I expected, and the parts that are not explained by detection improvements are the parts that concern me most.
The DBIR is probably the most methodologically transparent large-scale breach dataset in existence. Verizon publishes detailed descriptions of how incidents are classified, what counts as a confirmed breach versus a suspected incident, and where the data comes from, which includes law enforcement referrals, industry partners, and Verizon's own forensic caseload. When they report a doubling, they are counting incidents that went through consistent classification criteria across multiple data partners over multiple years. That discipline makes the trend more meaningful than it would be from a less rigorous source. The doubling is real in the sense that matters: more organizations experienced confirmed unauthorized data disclosure in 2024 than in 2022, adjusting for methodology.
So what is actually driving it? Vulnerability exploitation is the biggest story in the 2024 DBIR. Exploitation of vulnerabilities as a breach entry point nearly tripled from the previous year, accounting for 14% of all breaches. Verizon attributes a significant portion of that to MOVEit and similar zero-day vulnerabilities in managed file transfer software. MOVEit is worth pausing on because it illustrates something the raw count statistic cannot convey. A single vulnerability in widely used shared infrastructure can produce hundreds of confirmed breaches almost simultaneously. When attackers exploited MOVEit Transfer in 2023, the campaign affected organizations across government, healthcare, finance, and higher education in weeks. Verizon counted each affected organization as a separate breach. The "tripling" of vulnerability exploitation is partly a story about the discovery of high-leverage vulnerabilities in shared infrastructure, not simply an increase in attacker sophistication across many independent campaigns.
I find absorptive capacity (Cohen and Levinthal 1990) useful for understanding why organizations responded so differently to MOVEit. The theory argues that an organization's ability to recognize, assimilate, and apply external security knowledge depends on its prior knowledge base and internal processes for integrating new information. Organizations with mature vulnerability management programs that actively monitored CISA and vendor advisories were able to patch MOVEit quickly after the vulnerability was disclosed. Organizations without that absorptive capacity, without dedicated security teams or established patch management workflows, could not act on the same information at the same speed. The vulnerability was equally visible to both. The outcome was not equal. Absorptive capacity explains why identical external information produces such different organizational security outcomes, and the MOVEit episode is one of the clearest illustrations of that gap I have seen in real-world data.
The human element finding is more straightforward and more stubborn. Verizon found that 68% of breaches involved a non-malicious human element, meaning errors, misuse, or social engineering rather than deliberate insider threat. The phishing finding within that 68% is the one I find most striking: the median time from opening a phishing email to clicking the malicious link was less than 60 seconds. Under a minute. That is not a finding that security awareness training can easily address. You cannot think carefully about whether an email is legitimate if you are responding to it in under a minute while managing three other tasks. I wrote separately about why the behavioral response to the human element problem is mostly misdesigned, but the DBIR number is the starting point for that argument.
Stolen credentials appeared in 31% of all breaches when Verizon looked at a ten-year window, making it the most persistently successful attack vector across the full reporting history. That number has not materially declined over the decade despite enormous investment in multi-factor authentication and identity infrastructure. My read is that credential theft succeeds not because authentication technology is weak but because deployment is chronically uneven. MFA penetration in enterprise environments is still incomplete, and the systems that lack it tend to be the legacy ones that attackers specifically map and target. A strong security posture on primary systems does not protect a vulnerable VPN endpoint or an old file server that nobody budgeted to upgrade.
The third-party risk finding deserves its own post, and I have written one. But the headline number belongs here: 15% of breaches involved a third-party vendor or partner in 2024, a 68% increase from the prior DBIR reporting period. Third-party breaches are structurally different from direct organizational breaches in ways that make them harder to prevent. You can harden your own environment. You cannot directly harden your payroll vendor's environment, your managed security service provider's environment, or your cloud backup vendor's environment. The third-party problem is a governance problem as much as a technical one, and the 68% increase suggests it is accelerating rather than being contained.
The 90% financial motivation finding is important for calibrating what defenders are actually dealing with. Financially motivated attackers behave differently from state-sponsored ones. They are looking for the path of least resistance to monetizable data. They are running opportunistic scans for exploitable systems and following the map to the most valuable assets. This means that an organization's breach probability is substantially affected by how visible and exploitable its systems appear from the outside, not just by how many determined adversaries specifically want to breach it. An organization that patches aggressively, removes exposed systems from public internet access, and enforces MFA broadly is reducing its attractiveness in the opportunistic market even if it cannot control every threat actor. The tactical implication of 90% financial motivation is that consistent basic hygiene reduces risk more than sophisticated defenses against rare targeted attacks.
As an IS researcher, what I keep returning to is the absorptive capacity angle. The DBIR data makes clear that the information about vulnerabilities, attack patterns, and breach vectors is available. The DBIR itself is public. CISA publishes vulnerability advisories. Threat intelligence feeds are widely distributed. The problem is not information availability. The problem is the organizational capacity to act on that information before attackers do. Organizations that cannot recognize, assimilate, and apply external security knowledge quickly are structurally more exposed regardless of their security budget. That is a research question with real organizational consequences, and I think IS research on absorptive capacity in security contexts is underinvested relative to what the data is showing.
What worries me most about the 10,626 number is not the number itself. It is the trend structure underneath it. Vulnerability exploitation in shared infrastructure is a scalable attack vector that produces many breaches per campaign. Credential theft over ten years shows no meaningful decline. Third-party risk is increasing as organizations extend their data environments to more vendors. The doubling from 2022 is partly better detection, partly MOVEit-style leveraged exploitation, and partly the maturation of criminal service markets that lowered the cost of conducting attacks. Those are structural trends. The count will not reverse without structural responses, and right now I am not sure the IS field has a clear enough picture of what those structural responses look like at the organizational level.
---
claims_checked:
- "30,458 security incidents, 10,626 confirmed breaches, 94 countries, roughly 2x increase over 2022": "https://www.verizon.com/business/resources/reports/dbir/"
- "Vulnerability exploitation nearly tripled, 14% of all breaches": "https://www.verizon.com/business/resources/reports/dbir/"
- "Human element in 68% of breaches": "https://www.verizon.com/business/resources/reports/dbir/"
- "Phishing median click time under 60 seconds": "https://www.verizon.com/business/resources/reports/dbir/"
- "Third-party risk 15% of breaches, 68% increase": "https://www.verizon.com/business/resources/reports/dbir/"
- "90% of breaches financially motivated": "https://www.verizon.com/business/resources/reports/dbir/"
- "Stolen credentials in 31% of all breaches over 10-year window": "https://www.verizon.com/business/resources/reports/dbir/"
- "Absorptive capacity theory, Cohen and Levinthal 1990": "foundational IS theory, no URL required"
claims_unverified:
- "MOVEit campaign timeline and sector spread: widely reported; consistent with DBIR 2024 attribution but specific DBIR page not directly fetched"
- "Ransomware-as-a-service as a matured service market: analytical inference supported by DBIR findings, not a direct quote"
sources_used:
- "https://www.verizon.com/business/resources/reports/dbir/"
word_count: 1120
About the author
Share
More notes
Related notes