Cybersecurity Report Roundup: the Rise of Data Breaches; the Fall of Ransomware

By Roy Urrico

Finopotamus aims to highlight white papers, surveys, blogs and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.

In this cybersecurity roundup we focus on U.S. data breaches and global ransomware attacks.

Data Breach Trends Accelerate in First Half of 2025

There were 1,732 publicly reported data compromises in the U.S., about 5% ahead of 2024’s pace at same point last year. The Identity Theft Resource Center (ITRC), an El Cajon, Calif.-based national nonprofit organization that supports identity crime victims, its H1 2025 Data Breach Report Analysis, reported this could track a record number of compromises in 2025 if the current data breach trend continues through the rest of the year.

The financial services and healthcare industries continue to be the most targeted sectors, with 387 and 283 compromises, respectively. While the number of compromises in financial services is slightly down from the first half of 2024, the healthcare sector saw an increase in breach events in that same year-over-year six-month period.

The ITRC is also tracking a new category labeled Previously Compromised Data (PCD), a recycled data set that has been repackaged by threat actors or unknown groups. “However, because PCD is previously compromised data, PCD does not represent an increased risk to individuals, but rather a continuing risk of a variety of identity crimes, including fraud and scams,” noted the ITRC report.

“Through the first half of the year, we’ve seen a continuation, and in some cases, acceleration of the trends from 2024,” said James E. Lee, president of the ITRC. “Some of these trends are troubling – like the lack of transparency surrounding what caused more than two-thirds of compromises.”

“We also saw the use of recycled information emerge,” Lee continued. “That’s a serious risk for businesses since much of the data is logins and passwords, but it also means individuals need to take steps to protect themselves from identity fraud and scams, which they can learn to do by contacting the ITRC or visiting our website. There’s never a charge for individuals to turn to the ITRC for help.”

Some of the other highlights in the report:

• There was an 11% increase from the first half of 2024 (1,567).

• The number of data breach notices without information about the root cause of the attack jumped from 65% in the first half of 2024 to 69% in the first six months of 2025.

• The number of victim notices in the first half of 2026 (165,745,452) is only 12% of the number of notices sent at this point in 2024. The decrease is largely due to the fewer mega breaches in 2025 compared to the previous year.

• There were 79 supply chain attacks reported in 2025’s first half, impacting 690 entities and leading to 78,320,240 victim notices. “This highlights the cascading effect that a single vulnerability in a third-party can have on multiple organizations and their customers,” said the report.

The ITRC has also already followed more physical attacks in the first half of 2025 (34) than in the full year 2024 (33). “Although smaller in absolute numbers, this data breach trend is worth monitoring,” noted the ITRC.

Ransomware Attacks Fall in Second Quarter

Ransomware attacks dropped 43% in the second quarter of 2025, according to the latest Cyber Threat Intelligence Report from cybersecurity consulting firm NCC Group, with global headquarters in Manchester, England and North American headquarters in Chicago. June was the fourth month in a row that ransomware attacks dropped globally, declining by 6% with 371 cases.

Additionally, the second quarter of 2025, “hack and leak” numbers, dropped to a total of 1,180 attacks. Hack and leak denotes a type of cyber activity where sensitive information is stolen through a data breach (hacking) and then publicly released (leaked). This decline could be due to multiple factors, including seasonal fluctuations as we enter the summer period.

However, the second quarter of 2025, pointed out NCC, also saw continued activity across the threat landscape, from ransomware targeting major retailers to ongoing tensions in the Middle East. “Threat actors continue to exploit global uncertainty and instability, to capitalize on their illegal activities,” the report wrote.

“The volume of victims being exposed on ransomware leak sites might be declining but this doesn’t mean threats are reduced. Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop-in activity, but ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics,” said Matt Hull, global head of Threat Intelligence at NCC Group.

Hull continued, “We’ve already tracked 86 new and existing active attack groups this year, and we’re on course to surpass 2024’s record. The increased number of attackers means a broader range of attack methods that businesses need to be prepared for. Both organizations and nations should take this as a sign to remain vigilant. Investing in cyber security and intelligence-led defenses is the key to staying ahead of increasingly agile threat actors.”

The threat to application programming interfaces (APIs), which supply the backbone of modern digital infrastructure including fintech, is another emerging cybersecurity trend, according to NCC. Said the Cyber Threat Intelligence Report, “(APIs) define how software components interact, allowing systems to exchange data and services seamlessly. APIs power everything from mobile banking apps and cloud platforms to IoT (Internet of Things) devices and AI (artificial intelligence)-driven services. APIs have shifted from being simple tools of integration to critical supports for business operations and innovation which makes them an attractive target for malicious threat actors.”

NCC also spotlighted SafePay, a ransomware group most likely based in Russia, first identified in late 2024. “Although quiet for much of 2025, many victims were observed in May, prompting curiosity amongst the threat landscape. “Commentators researching SafePay’s ransomware have linked the group to several major ransomware gangs such as LockBit, ALPHV (also known as BlackCat or Noberus), Inc ransomware, and Play (also known as PlayCrypt), suggesting a potential rebrand of major players that have since disbanded or were targeted by law enforcement.”

Other top findings:

• Global ransomware attacks decreased by 6% month-on-month in June, with 371 cases

• Qilin, was the most active threat group in June, responsible for 16% of attacks. Qilin, (also known as Agenda) is a ransomware-as-a-service criminal operation that works with affiliates, encrypting and exfiltrating the data of hacked organizations.

• Industrials remain the most targeted sector with 27% of attacks in June

• Seventy-nine percent of all cases globally took place in North America and Europe in June.