In the ever-evolving world of cybersecurity, where defense terminology often changes but attack vectors remain familiar, BakerHostetler’s 2025 Data Security Incident Response (DSIR) Report provides critical intelligence and insights for organizations seeking to strengthen their resilience. Now in its 11th edition, the report analyzes over 1,250 incidents managed by the firm’s Digital Assets and Data Management (DADM) Practice Group, offering actionable intelligence rather than mere observations.
The report begins with encouraging news regarding ransomware attacks. Once a dominant threat, ransomware incidents have decreased, with shorter recovery timelines and significantly reduced ransom payments, down 33% year-over-year. In 2024, the average payment dropped to $501,338 from $747,651 in 2023. This positive shift stems from improved backup and recovery planning, enhanced collaboration with law enforcement, and a more mature ecosystem of breach response partners. However, the report cautions that while fewer organizations are paying for decryption tools, many still face extortion pressures to prevent stolen data from being released publicly.
Forensic investigation expenses reached a three-year low in 2024. Among the 20 largest network intrusion matters, average costs fell from $550,000 to $273,000. This reduction reflects industry improvements through pre-deployed endpoint detection and response (EDR) tools, enhanced triage capabilities, and a more competitive and efficient forensic market. Organizations with comprehensive EDR deployment before incidents experience faster detection, streamlined containment, and more precise scope analysis—outcomes that appeal to budget-conscious leadership teams.
Despite these positive developments, the report reveals a concerning countertrend: wire fraud losses increased threefold, from $35 million in 2023 to $109 million in 2024. This surge is particularly pronounced in business/professional services and financial sectors, where average fraudulent transfers now exceed $1.25 million. A critical risk factor is delayed discovery—the median time between initial account compromise and fraud detection is 18 days, compared to a three-day median across all incidents. This extended timeline severely impacts fund recovery possibilities, presenting a significant challenge for incident response teams and financial controllers.
For the 11th consecutive year, healthcare (including biotech and pharma) led all sectors in reported incidents, representing 36% of the total. The sector also experienced the highest average ransom payment at $847,875. Recent attacks like the Change Healthcare breach continue to highlight the industry’s systemic vulnerabilities, where operational disruption, sensitive data exposure, and regulatory scrutiny intersect.
Class action filings following breach notifications showed a modest decline—51 lawsuits from 518 disclosure events, compared to 58 the previous year. This represents the first reversal in this metric in five years. The report notes a slowing in privacy statute lawsuits, particularly those targeting web tracking and cookie technologies. Nevertheless, legal exposure remains significant, especially with increasing settlements and ongoing regulatory attention from state attorneys general and federal bodies such as HHS’s Office for Civil Rights.
The report emphasizes social engineering’s growing role in breaches. Techniques such as spear phishing, vishing, MFA fatigue, and direct manipulation of help desk staff are increasingly preferred over malware. With compromised credentials, attackers bypass perimeter defenses and exploit insufficient identity and access controls. The focus now shifts from detection to denial, limiting potential damage by enforcing least-privilege principles and rigorous role-based access control.
Interestingly, despite dominating technological and regulatory discussions, AI has not emerged as a primary cyberattack tool. Threat actors continue to rely on human manipulation, compromised credentials, and traditional entry points. While AI’s potential impact on phishing automation or synthetic identity creation remains significant, the most common risks still stem from exploitable human behavior and operational gaps.
Third-party incidents accounted for 27% of cases tracked. The report emphasizes that third-party risk management requires formalization, active maintenance, and integration into core governance. While high-profile incidents like Change Healthcare and MOVEit capture headlines, underlying issues often involve overlooked offboarding protocols, outdated contracts, and unclear data deletion responsibilities.
The 2025 DSIR Report portrays a cybersecurity landscape in transition. The decreasing costs of forensic response and stabilization of ransomware represent genuine progress, but the surge in wire fraud and persistence of fundamental vulnerabilities demand continued vigilance. Organizations are increasingly anticipating threats rather than merely reacting to them. Risk isn’t eliminated, but is becoming better contextualized. The question evolves from how to respond to how to recover more effectively and rebuild stronger. For legal, data, and security professionals, the report offers not just a record of breaches but a blueprint for better decision-making in an era of cyber uncertainty.
News Sources
- BakerHostetler launches 2025 Data Security Incident Response Report (BakerHostetler)
- BakerHostetler. (2025, April 15). 2025 Data Security Incident Response Report. Retrieved from https://www.bakerlaw.com/DigitalAssetsDataManagement
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission from ComplexDiscovery OÜ
