With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.

We’ve summarized this past year’s top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following year.

Billions of US citizens have private data exposed

On April 8, 2024, one of the largest personal data breaches took place, leading to nearly 3 billion US citizens having their information leaked on the dark web. Even more shocking was that all of this information came from only one source — National Public Data, a background check and fraud prevention service located in Coral Springs, Florida.

The stolen information collected contained names, social security numbers, home addresses and known relatives, and was listed on the dark web for sale for $3.5 million. Many of the victims were still unaware of the breach several months later, leading to several class action lawsuits filed by a dozen U.S. states. National Public Data has since then filed for bankruptcy.

Third-party breaches impact top 48 energy companies

A SecurityScorecard report revealed this year that 90% of the world’s top energy companies experienced data breaches that stemmed from third-party breaches. Many of these attacks were a direct result of increased reliance on cloud services and third-party integration to manage networked systems.

It was confirmed that out of the 264 individual breaches linked to third-party compromises, the MOVEit vulnerability was one of the major reasons for the issues. With critical infrastructure organizations playing a significant role in the health and well-being of citizens, these types of breaches continue to threaten public safety. The energy sector as a whole has since begun implementing stricter vendor assessments, continuous system and threat monitoring solutions and more secure data transfer protocols.

Financial firms face the highest data breach costs since the pandemic

According to the IBM Cost of a Data Breach 2024 report, the financial sector has seen a surge in data breach costs since the pandemic, reaching an average of $6.08 million per incident. While various attack types account for this increase, IT failures and simple human error account for a significant portion of the problem.

While certain improvements have been made in threat detection and containment timelines, many financial firms still have an uphill battle to climb. Larger-scale financial service breaches are now estimated to reach hundreds of millions of dollars in damages, leading many organizations to invest more in comprehensive identity and access management (IAM) solutions, AI-powered security solutions and dedicated incident response teams.

Average data breach cost increases 10% year-over-year

The global average cost of data breaches jumped 10% year-over-year between 2023 and 2024, with the latest figure reaching an alarming $4.88 million. The number represented by this average is driven by a number of factors, including lost business revenues, recovery costs and regulatory fines.

Complicating this ongoing trend, 40% of breaches recorded now involve data spread across multiple public and cloud environments and on-premises systems. These larger digital footprints average over $5 million in recovery costs with an average containment timeline of 283 days. Encouragingly, organizations that leverage AI-driven security workflows are experiencing a significantly lower average of $2.2 million per breach, pointing to a positive trend in next-generation security measures.

50% of data breaches tied to security staffing shortages

The cybersecurity skills gap widened over the last few years, with 50% of organizations experiencing data breaches reporting that they stemmed from staffing shortages. Skills shortages are specific to a wide range of critical areas, including cloud security and incident response, data analysis and compliance expertise. Another growing need for these impacted organizations is proficiency in security information and event management (SIEM) tools and active threat hunting.

In an ongoing effort to fill the key personnel gaps, it’s now recommended that organizations put a stronger focus on upskilling their existing workforce. Modern businesses can also leverage professional soft skills such as good communication and adaptability to help supplement and strengthen their security teams.

Moving into 2025

The past year has shown that while modern cybersecurity tools and solutions provide protection against a broader range of threats, very few industries and organizations are immune to cyber crime’s evolving nature.

As we move into 2025, enterprises should prioritize a proactive approach to cybersecurity planning. This includes optimizing their access restriction policies when operating with both in-house and remote teams, working to address any critical staffing shortages, and creating a stronger culture of security awareness within their organization.