Identity-Related Breaches Hit 71% of Organizations, Are the Root Cause of Two-Thirds of Ransomware Attacks, Sophos Finds
Sophos Report: 71% of Firms Hit by Identity Breaches, Fueling Ransomware Attacks
Related Entities
Organizations
Full Report
Executive Summary
A new report from cybersecurity firm Sophos, titled "State of Identity Security 2026," reveals that the compromise of digital identities is now a dominant factor in major security incidents. The global survey of 5,000 IT and cybersecurity leaders found that 71% of organizations suffered at least one identity-related breach in the last 12 months. The report draws a direct and alarming link between these incidents and ransomware, concluding that 67% of ransomware attacks began with a compromised identity, most often stolen employee credentials. The findings underscore the urgent need for organizations to prioritize identity security as a core pillar of their defense strategy.
Regulatory Details
While this is an industry report and not a regulation, its findings have significant implications for compliance. The high prevalence of identity breaches and their link to ransomware attacks puts organizations at greater risk of violating data protection regulations like GDPR, HIPAA, and CCPA. A breach originating from a compromised identity could be seen by regulators as a failure to implement reasonable security controls, leading to higher fines and penalties.
Affected Organizations
The report's findings are cross-sector and global, based on a survey spanning 17 countries. Key findings include:
- 71% of organizations experienced at least one identity-related breach in the past year.
- Organizations experienced an average of three such incidents.
- The Energy, Oil/Gas, and Utilities sector reported the highest breach rate at 80%.
- The Government sector was second-highest at 78%.
Compliance Requirements
The report implicitly calls for stronger adherence to identity and access management (IAM) best practices, which are central to many compliance frameworks (e.g., NIST CSF, ISO 27001). Key takeaways for compliance teams include:
- Strengthening Authentication: The data proves that simple password-based authentication is insufficient. Compliance with modern security standards requires the implementation of Multi-factor Authentication (
M1032). - Auditing Identities: The report highlights a major gap in auditing non-human identities (e.g., service accounts, API keys, AI agents). Only one-third of organizations regularly audit these, creating a significant and unmanaged risk. Regular auditing (
M1047) is a core compliance requirement. - Privileged Access Management (PAM): With employee credentials being the top cause of breaches, managing and monitoring privileged accounts (
M1026) is more critical than ever.
Impact Assessment
The financial impact of these identity breaches is substantial, with the report citing an average recovery cost of $1.64 million. This figure includes costs related to incident response, system restoration, regulatory fines, and lost business. The strategic impact is that identity has become the new perimeter, and organizations failing to secure it are leaving their front door open for ransomware gangs and other threat actors. The proliferation of unmanaged AI agent identities represents a new and rapidly expanding attack surface that most organizations are not prepared to defend.
Compliance Guidance
Based on the report's findings, organizations should take the following tactical steps:
- Prioritize Phishing-Resistant MFA: Immediately begin migrating from less secure forms of MFA (like SMS and simple push notifications) to phishing-resistant methods like FIDO2.
- Implement a PAM Solution: Deploy a Privileged Access Management solution to vault, rotate, and monitor all privileged credentials, for both human and non-human users.
- Create an Inventory of Non-Human Identities: Begin a project to discover and inventory all service accounts, API keys, and other non-human identities. Assign owners, define lifecycles, and integrate them into the IAM program.
- Conduct Identity-Focused Training: Update security awareness training (
M1017) to focus on modern threats like MFA fatigue and social engineering aimed at credential theft.
Timeline of Events
MITRE ATT&CK Mitigations
Multi-factor Authentication
Implementing strong, phishing-resistant MFA is the top defense against the credential compromise highlighted in the report.
Privileged Account Management
Secure, monitor, and manage the lifecycle of all privileged accounts, both human and non-human, to reduce the risk of their misuse.
Conduct regular audits of all identities, with a special focus on non-human and service accounts, to identify and remove disused or overly permissive accounts.
User Training
Continuously train users to recognize and report phishing and social engineering attempts.
D3FEND Defensive Countermeasures
Based on the Sophos report's finding that compromised credentials are the top cause of identity breaches, the most critical countermeasure is the universal adoption of phishing-resistant Multi-Factor Authentication. Organizations should prioritize migrating away from SMS and simple push-based MFA, which are vulnerable to phishing and MFA fatigue attacks. Instead, they should deploy FIDO2/WebAuthn hardware keys or use number matching in authenticator apps. This should be enforced for all users, but especially for privileged accounts and access to remote services (VPNs, VDI). This single control dramatically raises the difficulty for an attacker to leverage a stolen password, directly addressing the root cause of 67% of ransomware attacks according to the report.
To address the threat of compromised identities being used for lateral movement and privilege escalation, organizations must implement robust domain account monitoring. This involves shipping authentication and account modification logs from Active Directory and cloud identity providers to a central SIEM. Configure detection rules to identify suspicious activities such as: impossible travel logins, logins from non-standard devices, a user being added to a high-privilege group (e.g., Domain Admins), and brute-force or password spray attempts. This provides visibility into how identities are being used (and abused) post-compromise, enabling security teams to detect and respond to an intrusion before it escalates to a full-blown ransomware incident.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.