πŸ”’
Data Breach Report
Enter code to access

Data Breaches

How Secrets and Personal Data Get Leaked, Who Is Behind Them, How Companies Find Out, and What Recourse They Have

SECURITY BRIEFING
ℹ️ READING GUIDE
READING GUIDE

FACTS in normal text. SPECULATION in italics. Every statistic links to its source.

πŸ”¬ ANATOMY OF A BREACH
1
Initial Access
Phishing, stolen credentials, vulnerability exploitation, or third-party compromise. The attacker gets a foothold.
β†’
2
Lateral Movement
Attacker escalates privileges, moves across systems, and locates valuable data. Often undetected for weeks.
β†’
3
Data Exfiltration
Sensitive data copied, encrypted, or transmitted out. Sometimes staged through intermediate servers.
β†’
4
Discovery
Company detects the breach internally (SOC/SIEM) or externally (dark web monitoring, third-party report). Median: ~241 days.
β†’
5
Response
Incident response, containment, forensic analysis, regulatory notification, customer notification, legal action.
THE GAP

The average breach lifecycle (identify + contain) was ~241 days in 2025. Stolen credential breaches took ~292 days to resolve. Organizations using AI and automation in security shortened detection by 108 days. Source

⚠️ HOW BREACHES HAPPEN

Initial access routes vary, but identity-related social engineering accounts for 33% of incidents globally (phishing 22%, other social engineering 11%), according to the Unit 42 Global Incident Response Report 2026. The Verizon DBIR 2026 identifies social engineering, phishing, stolen credentials, vulnerability exploitation, ransomware, and third-party compromise as the top attack vectors.

Attack Vector% of BreachesAvg Cost ImpactDetection Difficulty
Phishing & Social Engineering22-33%HighMedium
Stolen Credentials~20%S$4.19M (ASEAN)High (292 days to resolve)
RansomwareGrowing (+47%)Very HighLow (attacker announces)
Supply Chain / Third-PartyIncreasing (+40%)HighVery High
Insider Threats~26% (human error)Moderate-HighVery High
Cloud MisconfigurationCommonModerateMedium
Vulnerability ExploitationVariableS$4.86M (zero-day, ASEAN)High
AI-Enhanced Attacks16% involve AIRisingHigh
1. Phishing and Social Engineering
Fraudulent emails and messages trick employees into clicking malicious links or entering credentials. AI-generated phishing now accounts for 37% of AI-assisted attacks, with deepfakes at 35%. Source
BrightDefense
2. Stolen Credentials
Attackers use leaked or purchased passwords to log in directly. Breaches involving stolen credentials took approximately 292 days to resolve, the longest of any vector. Source
DeepStrike
3. Ransomware
Malware encrypts the victim's data and attackers demand payment. Publicly reported ransomware attacks rose 47% in 2025 even as gangs earned less, pushing them toward new revenue models including DDoS-as-a-Service and insider recruitment. Source
CertEmpire
4. Supply Chain Attacks
Attackers compromise a trusted third-party vendor to reach the target. Supply chain attacks increased over 40% in recent years. The Snowflake breach (2024) enabled access to dozens of client environments, including Ticketmaster with 500M+ customer records. Source Source
BlueFire / DigitalDefynd
5. Insider Threats
Employees intentionally or unintentionally expose data. Human error caused 26% of breaches and IT failures caused 23%. Source
BrightDefense
6. Cloud Misconfiguration
Incorrectly configured storage buckets or permissions expose data publicly. These breaches are often found by researchers or opportunistic actors scanning for open resources. Source
Zluri
7. Vulnerability Exploitation
Attackers exploit unpatched software vulnerabilities. Zero-day vulnerability attacks were the most expensive entry point in ASEAN at S$4.86M per breach. Source
TechGoondU
8. AI-Enhanced Attacks
16% of breaches involved attackers using AI. Deepfake social engineering and AI-driven supply chain breaches are emerging threat categories. Source
PrimeSecured
🎭 WHO IS BEHIND DATA BREACHES
Perpetrator TypeMotivationMethodsNotable Cases
Financially motivated cybercriminalsMonetary gainExtortion, data theft, ransomwarePrimary driver
Nation-state APT groupsEspionage, disruption, financialSpear-phishing, zero-days, supply chainLazarus (DPRK), Volt Typhoon, UNC3886 (China)
Organized crime syndicatesProfit, reputationSIM swapping, MFA bypass, custom malwareScattered Spider, LAPSUS$, ShinyHunters β†—
HacktivistsPolitical/ideologicalDefacement, DDoS, data dumpsGrowing but secondary
InsidersCoercion, grievance, profitData exfiltration, credential sharingRecruited by ransomware groups β†—
1. Financially Motivated Cybercriminals
The primary driver behind most breaches. These actors seek monetary gain through extortion, data theft, and ransomware operations. Source
Huntress

2. Nation-State APT Groups

Lazarus Group (North Korea): Evolved from hacktivists to financial cybercriminals. Linked to Lab 110. Stole $625M in Ethereum from the Ronin Network. Source Source

Volt Typhoon and UNC3886 (China): State-sponsored hackers targeted Singtel and critical infrastructure in Singapore during 2024-2025. Source

Nation-state actors blend espionage with financially motivated theft, blurring the line between geopolitical and criminal threats.

3. Organized Crime Syndicates: Scattered LAPSUS$ Hunters
In November 2025, Scattered Spider, LAPSUS$, and ShinyHunters merged into 'Scattered LAPSUS$ Hunters'. Their toolkit includes social engineering, SIM swapping, MFA bypass, and identity compromise. They hinted at custom ransomware called 'Sh1nySp1d3r'. BitSight analysis linked Scattered Spider TTPs to UK retailer attacks in April 2025. Source Source
The Hacker News / BitSight
4. Hacktivists
Politically or ideologically motivated actors. A growing but secondary category. Their operations tend to be lower-sophistication (defacement, DDoS, data dumps) but can still cause significant reputational and operational damage.
Industry reporting
5. Insiders
Disgruntled or coerced employees pose an internal threat. Ransomware groups now actively recruit insiders and gig workers to facilitate access. Source
CertEmpire
πŸ’° HOW PERPETRATORS BENEFIT
1. Dark Web Data Sales
Stolen data is sold through underground marketplaces. 'Fullz' packages (complete identity profiles: SSN, email, phone, DOB) command premium prices for identity theft. Source Source
CyberNod / ResearchGate
2. Direct Fraud
Stolen credit and debit card data is used for fraudulent transactions or resold on dark web marketplaces. Source
GASA
3. Ransom and Extortion
Attackers demand payment for decryption keys or to prevent data publication. Some skip ransom entirely and sell stolen data to the highest bidder instead. Source
CyberDefense Magazine

4. Loyalty Program Abuse

In October 2025, a European airline's frequent-flyer database was auctioned on a dark web marketplace. Criminals used stolen miles to book first-class tickets, then resold them for cash. This shows how non-financial data carries real monetary value. Source

Loyalty points, gaming accounts, and subscription credentials are now mainstream dark web commodities.

DARK WEB MARKET SCALE

$17.3M in stolen personal data trade has been documented on dark web marketplaces. Source

6. Cryptocurrency Theft
The Lazarus Group stole $625 million in Ethereum and USDC from the Ronin Network, demonstrating that direct crypto theft rivals traditional extortion as a revenue stream for sophisticated actors. Source
Cybersecurity Ventures
πŸ” HOW COMPANIES FIND OUT
1. Internal Detection
Network monitoring, SIEM/SOC platforms, and XDR solutions watch for signs of intrusion. These systems flag anomalous traffic, privilege escalation, and known attack signatures.
Industry standard
2. External Detection
Dark web monitoring scans underground marketplaces for compromised credentials and leaked data. Most companies only do the first part and miss many breaches entirely. Source
BreachSense
MetricValueSource
Mean breach lifecycle (identify + contain)~241 daysDeepStrike
Stolen credentials breaches (resolution time)~292 daysDeepStrike
AI/automation shortened detection by108 daysBrightDefense
XDR technology lifecycle249 daysBrightDefense
Without XDR lifecycle304 daysBrightDefense
Median dwell time (Mandiant, targeted intrusions)~10 daysBrightDefense
Average breach lifecycle (Verizon DBIR 2025)277 daysBrightDefense
DETECTION GAP

Many breaches are discovered only when stolen data appears on the dark web or is reported by a third party. By the time external detection triggers, the data has already been sold or exploited. Source

🌍 PREVALENCE: GLOBAL
MetricValueSource
Global average cost per breach (2025)$4.44MDeepStrike
Global average cost per breach (2024)$4.88MDeepStrike
Cost per compromised record$164DeepStrike
Individuals exposed in 202555 millionDeepStrike
Americans impacted by breaches (2024)1 billion+AboutLawsuits
Supply chain attacks increase40%+BlueFire
Breaches involving AI16%BlueFire
AI-generated phishing37%BrightDefense
Deepfake attacks35%BrightDefense

Case Study: Change Healthcare (2024)

190 million individuals affected. The figure grew from an initial 100 million to 190 million over months of forensic analysis, making it one of the largest healthcare breaches in US history. Source Source

The final victim count more than doubled during investigation. Initial breach estimates are almost always undercounts.

Case Study: Ticketmaster / Snowflake (2024)
500M+ customer records exposed through a third-party cloud compromise. The attackers gained access via Snowflake's infrastructure and exfiltrated data from dozens of client environments. Source
DigitalDefynd
🌏 PREVALENCE: ASEAN
MetricValueSource
ASEAN average breach cost (2024)S$4.34M (US$3.33M), +7% YoYTechGoondU
ASEAN average breach cost (2025)USD 3.67M, +14% to record highComputerWeekly
Financial sector (most expensive)S$7.48M per breachTechGoondU
Industrial sectorS$5.62M per breachTechGoondU
Technology sectorS$5.5M per breachTechGoondU
Business email compromiseS$4.65M avg costTechGoondU
Stolen credentialsS$4.19M avg costTechGoondU
Zero-day vulnerability (most expensive)S$4.86M avg costTechGoondU
Asia Pacific ransomware incidents (H1 2024)57,000+AccessPartnership
AI/automation impact (ASEAN)Cut lifecycle by 99 days, saved ~US$1.25MComputerWeekly
ASEAN TREND

ASEAN breach costs hit a record high in 2025 at USD 3.67M, a 14% increase. The financial sector bore the heaviest cost at S$7.48M per breach. Source Source

Asia Pacific Ransomware Surge
Over 57,000 ransomware incidents were recorded in Asia Pacific in H1 2024, with Indonesia, the Philippines, and Thailand worst hit. Source
AccessPartnership
AI and Automation: The Counterweight
ASEAN organizations using security AI and automation cut breach lifecycles by 99 days and reduced costs by approximately US$1.25M compared to organizations without these tools. Source
ComputerWeekly
πŸ‡ΈπŸ‡¬ PREVALENCE: SINGAPORE
CaseIndividuals AffectedFine / OutcomeSource
SingHealth1.5M patientsS$750,000 (largest single fine)SoS
Marina Bay Sands665,000 patronsS$243,096 (2025)Baker McKenzie
Singapore Data Hub689,000 individualsSGD 17,500Baker McKenzie
PPLingo Pte Ltd300,000+ minorsS$74,000 (May 2024)Baker McKenzie
RedMart1.1M usersReportedSoS
MyRepublic79,000ReportedSoS
SINGAPORE FINES

The PDPC has issued over S$1 million in total fines to date. The largest single fine was S$750,000 for the SingHealth breach. Source

State-Sponsored Targeting of Singapore Infrastructure
Volt Typhoon and UNC3886, both linked to China, targeted Singtel and critical infrastructure in Singapore during 2024-2025. These were not financial crimes but intelligence and positioning operations. Source
State of Surveillance
PDPC Enforcement Intensifying
Singapore's PDPC has been actively fining organizations across sectors. Recent enforcement actions signal stricter compliance expectations, particularly around AI and data governance. Source Source
Baker McKenzie / OpsIntel
βš–οΈ LEGAL RECOURSE AND RESPONSE
JurisdictionNotification DeadlineMax PenaltyKey Requirement
Singapore (PDPA) β†—3 calendar daysS$1M (organization)Appoint DPO (mandatory from June 1, 2025)
EU (GDPR)72 hours β†—4% of global annual turnoverNotify supervisory authority + affected individuals
ASEAN (varies)Varies by countryVariesFragmented frameworks; Singapore strongest

Singapore PDPA: Notification Requirements

Organizations must notify the PDPC within 3 calendar days of determining that a breach is notifiable. A Data Protection Officer (DPO) must be appointed as of June 1, 2025. Notification is required when the breach results in significant harm OR affects 500+ individuals. The organization must also investigate the breach scope and potential harm to consumers. Source Source Source Source

Three days is tight. Organizations without a pre-built incident response plan and DPO will struggle to meet this deadline.

EU GDPR: Breach Notification and Private Claims

Under GDPR Article 33, organizations must notify the supervisory authority within 72 hours of becoming aware of a breach. Affected individuals can file private claims for damages. Companies should revisit breach response plans to consider private claim risks before notifying individuals. Source Source Source

GDPR notification triggers a 72-hour clock AND opens the door to private litigation. The legal strategy must account for both.

Technical Recourse: The 72-Hour Action Plan

1
Hour 0-4: Activate incident response plan. Isolate affected systems. Preserve forensic evidence.
2
Hour 4-24: Forensic analysis to determine scope: what data, how many individuals, what systems.
3
Hour 24-48: Assess notifiability under PDPA/GDPR. Prepare regulatory notifications.
4
Hour 48-72: Submit regulatory notifications (PDPC: 3 days, GDPR: 72 hours). Begin customer notification preparation.
5
Day 3-7: Customer notification. Coordinate with law enforcement. Offer credit monitoring to affected individuals.
6
Ongoing: Legal action and lawsuits. Change Healthcare, AT&T, and Ticketmaster all face active litigation from 2024 breaches.
KEY TAKEAWAY

The window between breach detection and regulatory notification is measured in hours, not days. Organizations without a tested incident response plan, a designated DPO, and external forensic/legal contacts will face penalties on top of whatever the breach itself cost. Source