Based on a cross-case analysis of the breaches documented in The Big Book of Breaches 2025 (Illumio), clear patterns emerge across industries, threat actors, and techniques. Below are the top five breach reasons evident across the incidents, followed by their most effective corresponding resolutions, grounded directly in the cases described throughout the report.
1. Unpatched or Vulnerable Public-Facing Systems
This is the single most common root cause. Multiple breaches (Change Healthcare, telecom espionage, Ivanti VPN, Salt Typhoon attacks) began with attackers exploiting known but unpatched vulnerabilities in internet-exposed systems.
Top resolutions
Organizations that recovered fastest focused on disciplined vulnerability management combined with containment. Key actions include aggressive patching of internet-facing systems, isolating exposed services into tightly controlled network segments, and enforcing Zero Trust principles so that a single exposed system cannot provide broad access. Microsegmentation of critical applications and real-time monitoring of east-west traffic were repeatedly cited as effective controls.
2. Credential Compromise (Phishing, Password Spraying, Credential Stuffing)
Credential abuse has been seen in several high-impact cases, including Microsoft’s executive email breach, CDK Global, Ticketmaster (Snowflake credentials), and the Iran-linked campaign attack. In most cases, attackers did not need exploits; valid credentials were sufficient.
Top resolutions:
The strongest responses combined mandatory multi-factor authentication everywhere (including legacy and test systems), identity-based access controls, and strict separation of environments. Segmenting executive, administrative, and cloud-data access sharply reduced blast radius. Monitoring for abnormal authentication patterns and enforcing least-privilege access were also key corrective measures.
3. Excessive Lateral Movement Due to Flat Networks
Once attackers gained a foothold, damage escalated primarily because internal networks were overly permissive. This was central to the Change Healthcare, Microsoft, telecom, and Ivanti incidents.
Top resolutions:
Microsegmentation was the dominant mitigating control across nearly every case. By separating workloads, applications, and data types into isolated security zones, organizations could have stopped ransomware spread, espionage pivoting, and data exfiltration early. Real-time enforcement and inspection of inter-segment traffic consistently appeared as a recommended resolution.
4. Third-Party and Supply Chain Trust Failures
Several breaches were not caused by the victim’s core systems directly, but by implicit trust in vendors or partners. Ivanti VPNs, Snowflake-hosted Ticketmaster data, and telecom infrastructure dependencies illustrate this pattern.
Top resolutions:
Effective remediation focused on isolating third-party systems from core environments, enforcing strict access boundaries, and applying Zero Trust even to “trusted” vendors. Segmenting vendor-managed infrastructure and monitoring data flows between third-party and internal systems were highlighted as critical improvements.
5. Insider Risk and Over-Privileged Internal Access
The AT&T breach demonstrates the continued risk of insider or insider-assisted attacks that bypass perimeter defenses entirely.
Top resolutions:
Organizations that strengthened internal defenses emphasized data-centric security: segmenting sensitive datasets, applying application-level controls on databases, enforcing least-privilege access, and continuously monitoring for abnormal data access or transfer behavior. Zero Trust for internal users, not just external ones, was a key takeaway.
Summary Insight
Across all five breaches, one conclusion is consistent: initial compromise was rarely the real failure. The true damage occurred because attackers could move laterally, escalate access, and reach high-value assets unchecked. The most effective resolutions, therefore, focused less on “perfect prevention” and more on containment, especially through Zero Trust and microsegmentation strategies.