Data Breach TodayArchived May 19, 2026✓ Full text saved
Patch Rollout Slows and Ransomware Incident Volume Rises, Finds Latest Verizon DBIR The frequency of hackers exploiting vulnerabilities in hardware and software to gain initial access to a victim's environment continues to surge, and half of all successful breaches also now involve some type of "ransomware action," according Verizon's 2026 Data Breach Investigations Report.
Full text archived locally
✦ AI Summary· Claude Sonnet
Governance & Risk Management , Incident & Breach Response , Patch Management
Verizon Breach Report: Vulnerability Exploitation Surges
Patch Rollout Slows and Ransomware Incident Volume Rises, Finds Latest Verizon DBIR
Mathew J. Schwartz (euroinfosec) • May 19, 2026
Credit Eligible
Get Permission
Image: Verizon Data Breach Investigation Report
Bugs, and lots of them, were how a plurality of data breach intrusions began during the last year, finds Verizon in its latest annual appraisal of the state of cybersecurity.
See Also: Know Thy Enemy: Threats to Cyber Resilience
The 2026 Data Breach Investigations Report, published Tuesday, finds that one-third of all known breaches began with vulnerability exploitation, distantly followed by credential abuse in 13% of attacks, and to a lesser extent, phishing and social engineering.
Half of all successful breaches also now involve some type of "ransomware action."
In bad news for defenders, the report also finds that fewer vulnerabilities identified by the U.S. Cybersecurity and Infrastructure Security Agency as under active exploitation receive patches. And even when fixed, bugs are being patched more slowly. Organizations at the top of their patch management game only fix 30% to 40% of actively exploited hardware and software bugs within the first week after detection, the report states.
This year's annual DBIR is based on more than 31,000 real-world security incidents leading to data breaches affecting organizations across 145 countries from Nov. 1, 2024, through Oct. 31, 2025. The report is based on information gathered by Verizon Business's own investigations as well as anonymized data shared by a network of partners, including the FBI, Britain's National Crime Agency, the EU's CERT-EU cybersecurity service, vendors and other organizations.
The report finds organizations patched just roughly a quarter of critical vulnerabilities last year, down from 38% the prior year, and took longer to do so - 43 days on average, up from 32 days the previous year.
"Volume certainly plays a big part in it," said Daniel Lawson, senior vice president of global solutions at Verizon Business, of the lag in remediation. Security researchers collectively found more than 48,000 vulnerabilities last year, an 18% year-over-year increase - a number poised to only grow higher this year. The number of critical vulnerabilities grew by half, "a massive amount for companies to deal with," Lawson said.
Verizon has observed companies investing to improve vulnerability management, but "the sheer amount of volume means that even these improved processes are unable to keep up with the growing number of unique critical vulnerabilities," he added.
Report authors count as a security incident any security event that compromises the confidentiality, integrity or availability of data. Of those incidents, more than 22,000 - also a record-setting number - were confirmed data breaches, defined as the incident resulting in "confirmed disclosure - not just potential exposure - of data to an unauthorized party."
As with patching a corporation's internal environment, remediating security shortcomings in third-party cloud services remains challenging, with researchers seeing a widespread failure to enforce the use of multifactor authentication, complex passwords and correct configurations.
"Looking at remediation over time in third-party cloud exposure, only 23% of third-party organizations fully remediated missing or improperly secured MFA on their cloud accounts, with 50% of all findings being resolved within a month. For weak passwords and permission misconfigurations, the time to resolve 50% of all findings was much worse, reaching almost eight months," the report says.
Ransomware Rises
Ransomware attacks didn't stop growing, with some type of related action present in 48% of all breaches last year, up from 44% the prior year. Such actions can include data theft from organizations or their third-party service providers, data-only extortion attacks and traditional crypto-locking malware (see: Ransomware Defenses Appear to Be Holding; Challenges Loom).
The report said 69% of identified victims didn't pay a ransom, and when they did, the average ransom they paid dropped to about $140,000, compared to $150,000 the prior year.
Researchers said the rise in ransomware breaches is tied in part to half of all data breaches last year involved some type of third-party service (see: Salesforce Sounds Alarm Over Fresh Data Extortion Campaign).
The use of information-stealing malware by cybercriminals, especially for unleashing ransomware, also remains rife. Half of all breach victims showed signs of "a credential or infostealer event" having occurred within 95 days of the initial intrusion tied to the ransomware attack.
All of these findings carry caveats that cybersecurity professionals should remember when attempting to translate the statistics into their decision-making and planning, said cyber risk expert Tony Martin-Vegue in a report appendix.
"Think of it this way: when we say ransomware was present in 48% of breaches, what we're really saying is "among organizations that got breached and detected it and reported it, or had it reported by someone else, 48% of those breaches involved ransomware," he said.
In addition, the report "does not capture attacks that failed, activity that was blocked or disrupted before causing harm, or incidents that went undetected or never met reporting criteria," he said.
AI-Facilitated Hacking
Much has already changed since last November, when the scope of the latest DBIR data ends. Major changes include a surge in data breaches tied to the use of tools such as Claude Code to help automatically orchestrate every step of an attack.
"Traditionally, cybercriminals relied on human effort and technical skill to execute attacks. Now, Agentic AI systems can automate every stage of cybercrime: reconnaissance, phishing, data theft and even laundering stolen and illicit assets," says the U.S. Secret Service in a report appendix.
Many artificial intelligence tools, including but not limited to the latest frontier models such as Anthropic's Mythos, continue to reveal new vulnerabilities in widely used software. Experts said AI models' ability to chain vulnerabilities together to make them more exploitable also continues to improve. How effective this might be for real-world attacks, against enterprise security environments with layered defenses, remains unclear.
"Both the DBIR team and Verizon are keenly aware of the growing impact and capabilities of AI-augmented vulnerability research and weaponization so far in 2026 based on early indicators and trends," the report says.
One takeaway for defenders is that almost none of the malware developed by generative AI or actions taken by AI hacking was that unusual. When attackers used GenAI to generate malware, fewer than 2.5% of the resulting samples "involved less-common techniques with one or fewer known malware examples."
As with many aspects of AI, experts often recommend more AI to defend against illicit use. Agentic AI can monitor in real time, automate threat detection and response, the Secret Service said.
Attacks are getting faster and more refined, meaning the answer for defenders involves "refinement, not revolution," counsels Verizon. The need to do the basics and do them well still holds.
"While the velocity of cyber threats - driven by AI and faster vulnerability exploitation - is increasing, the foundational principles of security and strong risk management remain the most effective defense," said Daniel Lawson, senior vice president of Verizon Business.
"The DBIR reinforces that these fundamentals still hold as organizations strive for resilience," he said.
With reporting by ISMG's David Perera in Northern Virginia.