Identity-Related Breaches Surge, Driving Ransomware and Financial Losses: Sophos Report
A recent Sophos survey of 5,000 IT and cybersecurity leaders across 17 countries reveals that over 70% of organizations experienced at least one identity-related breach in the past year. Switzerland reported the highest breach rate, followed by Mexico and Italy, while Germany, Colombia, and Japan had the lowest though still exceeding 60%.
The energy, oil and gas, utilities, and federal government sectors faced the highest breach rates, while IT, telecoms, and healthcare sectors with stronger security investments saw fewer incidents. Compliance struggles correlated with higher breach rates, indicating broader security vulnerabilities.
Most organizations detected and stopped identity attacks before damage occurred, but smaller companies were less likely to identify threats early, increasing the risk of severe consequences. Brazil had the highest rate of detection failures, while Switzerland’s high breach rate left firms exposed. Media, leisure, and entertainment industries had the worst detection rates, while healthcare performed best, likely due to regulatory pressure.
The report also highlights a strong link between identity attacks and ransomware, with two-thirds of ransomware victims attributing their breach to identity compromise. Mid-sized organizations (1,001–3,000 employees) showed the strongest connection, while higher education and transportation sectors were most affected. Financial services, IT, and telecoms reported lower rates.
For the 510 organizations that failed to stop a major identity attack, the impact was severe. On average, each suffered two major consequences, including data theft (50%), ransomware (47%), financial fraud (46.7%), and extortion (43.9%). Undetected attacks led to significant financial and operational damage, with human error and weak identity management cited as the most common root causes. Recovery costs averaged $1.64 million globally, with a median of $750,000.
The survey also exposed gaps in identity security practices. While real-time monitoring was the most common activity, over half of companies checked for unusual logins no more than quarterly. Only 34.3% rotated and audited non-human identities (NHIs) weekly, and 22.6% reviewed identity governance policies just once every six months. Organizations with weak NHI management were 22% more likely to suffer financial theft, 24.4% more likely to face extortion, and incurred recovery costs $147,178 higher on average.
Source: https://www.helpnetsecurity.com/2026/05/14/sophos-2026-identity-breach-costs-report/
Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos
"id": "SOP1778740228",
"linkid": "sophos",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['energy',
'oil and gas',
'utilities',
'federal government',
'IT',
'telecoms',
'healthcare',
'media',
'leisure',
'entertainment',
'higher education',
'transportation',
'financial services'],
'location': ['Switzerland',
'Mexico',
'Italy',
'Germany',
'Colombia',
'Japan',
'Brazil'],
'size': ['1,001–3,000 employees (mid-sized)',
'smaller companies'],
'type': 'organization'}],
'attack_vector': 'identity compromise',
'data_breach': {'data_exfiltration': 'yes',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information',
'corporate data']},
'description': 'A recent Sophos survey of 5,000 IT and cybersecurity leaders '
'across 17 countries reveals that over 70% of organizations '
'experienced at least one identity-related breach in the past '
'year. The report highlights a strong link between identity '
'attacks and ransomware, with severe financial and operational '
'impacts, including data theft, ransomware, financial fraud, '
'and extortion. Recovery costs averaged $1.64 million '
'globally.',
'impact': {'data_compromised': ['personally identifiable information',
'corporate data'],
'financial_loss': '$1.64 million (average recovery cost)',
'identity_theft_risk': 'high',
'operational_impact': 'severe operational damage'},
'lessons_learned': 'Weak identity management and human error are the most '
'common root causes of identity-related breaches. '
'Organizations with stronger security investments and '
'compliance measures experienced fewer incidents. '
'Real-time monitoring and regular audits of non-human '
'identities (NHIs) are critical to reducing financial and '
'operational risks.',
'motivation': ['financial gain', 'data theft', 'extortion'],
'post_incident_analysis': {'corrective_actions': ['Enhance real-time '
'monitoring',
'Regularly audit non-human '
'identities (NHIs)',
'Update identity governance '
'policies',
'Improve compliance and '
'security investments'],
'root_causes': ['weak identity management',
'human error']},
'ransomware': {'data_exfiltration': 'yes'},
'recommendations': ['Implement real-time monitoring for identity-related '
'threats.',
'Rotate and audit non-human identities (NHIs) at least '
'weekly.',
'Review and update identity governance policies regularly '
'(at least quarterly).',
'Strengthen identity management practices to reduce human '
'error.',
'Invest in compliance and security measures, particularly '
'in high-risk sectors.'],
'references': [{'source': 'Sophos Report'}],
'response': {'enhanced_monitoring': 'real-time monitoring (though over half '
'checked for unusual logins no more than '
'quarterly)'},
'title': 'Identity-Related Breaches Surge, Driving Ransomware and Financial '
'Losses',
'type': ['identity-related breach',
'ransomware',
'financial fraud',
'extortion'],
'vulnerability_exploited': ['weak identity management', 'human error']}