How Secrets and Personal Data Get Leaked, Who Is Behind Them, How Companies Find Out, and What Recourse They Have
SECURITY BRIEFINGFACTS in normal text. SPECULATION in italics. Every statistic links to its source.
The average breach lifecycle (identify + contain) was ~241 days in 2025. Stolen credential breaches took ~292 days to resolve. Organizations using AI and automation in security shortened detection by 108 days. Source
Initial access routes vary, but identity-related social engineering accounts for 33% of incidents globally (phishing 22%, other social engineering 11%), according to the Unit 42 Global Incident Response Report 2026. The Verizon DBIR 2026 identifies social engineering, phishing, stolen credentials, vulnerability exploitation, ransomware, and third-party compromise as the top attack vectors.
| Attack Vector | % of Breaches | Avg Cost Impact | Detection Difficulty |
|---|---|---|---|
| Phishing & Social Engineering | 22-33% | High | Medium |
| Stolen Credentials | ~20% | S$4.19M (ASEAN) | High (292 days to resolve) |
| Ransomware | Growing (+47%) | Very High | Low (attacker announces) |
| Supply Chain / Third-Party | Increasing (+40%) | High | Very High |
| Insider Threats | ~26% (human error) | Moderate-High | Very High |
| Cloud Misconfiguration | Common | Moderate | Medium |
| Vulnerability Exploitation | Variable | S$4.86M (zero-day, ASEAN) | High |
| AI-Enhanced Attacks | 16% involve AI | Rising | High |
| Perpetrator Type | Motivation | Methods | Notable Cases |
|---|---|---|---|
| Financially motivated cybercriminals | Monetary gain | Extortion, data theft, ransomware | Primary driver |
| Nation-state APT groups | Espionage, disruption, financial | Spear-phishing, zero-days, supply chain | Lazarus (DPRK), Volt Typhoon, UNC3886 (China) |
| Organized crime syndicates | Profit, reputation | SIM swapping, MFA bypass, custom malware | Scattered Spider, LAPSUS$, ShinyHunters β |
| Hacktivists | Political/ideological | Defacement, DDoS, data dumps | Growing but secondary |
| Insiders | Coercion, grievance, profit | Data exfiltration, credential sharing | Recruited by ransomware groups β |
Lazarus Group (North Korea): Evolved from hacktivists to financial cybercriminals. Linked to Lab 110. Stole $625M in Ethereum from the Ronin Network. Source Source
Volt Typhoon and UNC3886 (China): State-sponsored hackers targeted Singtel and critical infrastructure in Singapore during 2024-2025. Source
Nation-state actors blend espionage with financially motivated theft, blurring the line between geopolitical and criminal threats.
In October 2025, a European airline's frequent-flyer database was auctioned on a dark web marketplace. Criminals used stolen miles to book first-class tickets, then resold them for cash. This shows how non-financial data carries real monetary value. Source
Loyalty points, gaming accounts, and subscription credentials are now mainstream dark web commodities.
$17.3M in stolen personal data trade has been documented on dark web marketplaces. Source
| Metric | Value | Source |
|---|---|---|
| Mean breach lifecycle (identify + contain) | ~241 days | DeepStrike |
| Stolen credentials breaches (resolution time) | ~292 days | DeepStrike |
| AI/automation shortened detection by | 108 days | BrightDefense |
| XDR technology lifecycle | 249 days | BrightDefense |
| Without XDR lifecycle | 304 days | BrightDefense |
| Median dwell time (Mandiant, targeted intrusions) | ~10 days | BrightDefense |
| Average breach lifecycle (Verizon DBIR 2025) | 277 days | BrightDefense |
Many breaches are discovered only when stolen data appears on the dark web or is reported by a third party. By the time external detection triggers, the data has already been sold or exploited. Source
| Metric | Value | Source |
|---|---|---|
| Global average cost per breach (2025) | $4.44M | DeepStrike |
| Global average cost per breach (2024) | $4.88M | DeepStrike |
| Cost per compromised record | $164 | DeepStrike |
| Individuals exposed in 2025 | 55 million | DeepStrike |
| Americans impacted by breaches (2024) | 1 billion+ | AboutLawsuits |
| Supply chain attacks increase | 40%+ | BlueFire |
| Breaches involving AI | 16% | BlueFire |
| AI-generated phishing | 37% | BrightDefense |
| Deepfake attacks | 35% | BrightDefense |
190 million individuals affected. The figure grew from an initial 100 million to 190 million over months of forensic analysis, making it one of the largest healthcare breaches in US history. Source Source
The final victim count more than doubled during investigation. Initial breach estimates are almost always undercounts.
| Metric | Value | Source |
|---|---|---|
| ASEAN average breach cost (2024) | S$4.34M (US$3.33M), +7% YoY | TechGoondU |
| ASEAN average breach cost (2025) | USD 3.67M, +14% to record high | ComputerWeekly |
| Financial sector (most expensive) | S$7.48M per breach | TechGoondU |
| Industrial sector | S$5.62M per breach | TechGoondU |
| Technology sector | S$5.5M per breach | TechGoondU |
| Business email compromise | S$4.65M avg cost | TechGoondU |
| Stolen credentials | S$4.19M avg cost | TechGoondU |
| Zero-day vulnerability (most expensive) | S$4.86M avg cost | TechGoondU |
| Asia Pacific ransomware incidents (H1 2024) | 57,000+ | AccessPartnership |
| AI/automation impact (ASEAN) | Cut lifecycle by 99 days, saved ~US$1.25M | ComputerWeekly |
ASEAN breach costs hit a record high in 2025 at USD 3.67M, a 14% increase. The financial sector bore the heaviest cost at S$7.48M per breach. Source Source
| Case | Individuals Affected | Fine / Outcome | Source |
|---|---|---|---|
| SingHealth | 1.5M patients | S$750,000 (largest single fine) | SoS |
| Marina Bay Sands | 665,000 patrons | S$243,096 (2025) | Baker McKenzie |
| Singapore Data Hub | 689,000 individuals | SGD 17,500 | Baker McKenzie |
| PPLingo Pte Ltd | 300,000+ minors | S$74,000 (May 2024) | Baker McKenzie |
| RedMart | 1.1M users | Reported | SoS |
| MyRepublic | 79,000 | Reported | SoS |
The PDPC has issued over S$1 million in total fines to date. The largest single fine was S$750,000 for the SingHealth breach. Source
| Jurisdiction | Notification Deadline | Max Penalty | Key Requirement |
|---|---|---|---|
| Singapore (PDPA) β | 3 calendar days | S$1M (organization) | Appoint DPO (mandatory from June 1, 2025) |
| EU (GDPR) | 72 hours β | 4% of global annual turnover | Notify supervisory authority + affected individuals |
| ASEAN (varies) | Varies by country | Varies | Fragmented frameworks; Singapore strongest |
Organizations must notify the PDPC within 3 calendar days of determining that a breach is notifiable. A Data Protection Officer (DPO) must be appointed as of June 1, 2025. Notification is required when the breach results in significant harm OR affects 500+ individuals. The organization must also investigate the breach scope and potential harm to consumers. Source Source Source Source
Three days is tight. Organizations without a pre-built incident response plan and DPO will struggle to meet this deadline.
Under GDPR Article 33, organizations must notify the supervisory authority within 72 hours of becoming aware of a breach. Affected individuals can file private claims for damages. Companies should revisit breach response plans to consider private claim risks before notifying individuals. Source Source Source
GDPR notification triggers a 72-hour clock AND opens the door to private litigation. The legal strategy must account for both.
The window between breach detection and regulatory notification is measured in hours, not days. Organizations without a tested incident response plan, a designated DPO, and external forensic/legal contacts will face penalties on top of whatever the breach itself cost. Source