Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Verizon DBIR spotlights software vulnerabilities
For the first time in the history of Verizon’s Data Breach Investigations Report, exploiting software vulnerabilities has surpassed stolen credentials as the leading cause of breaches. Based on analysis of 31,000 incidents, it found organisations had only fixed 26 per cent of the CISA “known exploited” flaws. Verizon analysts noted a “considerable drop” from 38 per cent fixes the previous year. Security Boulevard’s headline neatly summed up the change: ‘slower vulnerability remediation meets faster exploitation’. Help Net Security expanded on this point. “The problem is that organisations aren’t patching known vulnerabilities quickly (and sometimes not thoroughly) enough,” wrote Zeljka Zorz.
Other key findings were: confirmed breaches nearly doubled compared to last year’s 12,195. Third-party supply chain breaches jumped 60 per cent, now representing 48 per cent of all incidents. Employee use of unapproved “shadow AI” tripled to 45 per cent of the workforce, which brings greater risk of data leakage.
SecurityWeek’s coverage focused on threat actors’ increasing use of generative AI for targeting, initial access, and malware development. Tenable Research, a report contributor, warned that the median time to patch has grown by 11 days in a single year, leaving organisations exposed. Qualys, another research partner, described the situation as a treadmill picking up speed: defenders are running harder than ever, and still falling behind. Brian Honan applied an Irish lens to the findings, noting that security is a business issue, not a technology problem. The full report is available free at verizon.com/dbir.
Europol outlines internet organised crime trends
It’s been a busy few weeks for major security reports, with Europol releasing the latest edition of its annual Internet Organised Crime Threat Assessment (IOCTA). Titled ‘How encryption, proxies, and AI are expanding cybercrime’, the 2026 report covers trends across cybercrime enablers, online fraud schemes, cyber-attacks, and online child exploitation. Not surprisingly, the report identifies cryptocurrencies as facilitating criminal activity: privacy coins and offshore exchange services are helping to launder ransomware payments.
Despite ongoing crackdowns, dark web marketplaces and forums remain active, with criminals frequently shifting platforms to avoid detection. Encrypted messaging services and anonymised networks are increasingly connecting surface and dark web environments. According to the report, generative AI tools are enabling highly targeted phishing campaigns, with caller ID spoofing and SIM farms allowing attackers to send thousands of fraudulent messages simultaneously. Europol identified more than 120 active ransomware variants in 2025 alone. It also pointed to the growing trend of criminals threatening to leak stolen data rather than just encrypting it. The report is free to download here.
Data protection and privacy roundup: Fast fashion, PTSB punished, GDPR-niversary
The Data Protection Commission launched an inquiry into fast fashion retailer Shein Ireland’s transfers of personal data from EU users to China. The regulator will examine whether Shein has complied with its GDPR obligations in relation to those transfers. Separately, the Commission fined the bank Permanent TSB over a series of personal data breaches. The watchdog found that malicious actors were able to exploit inadequate security protocols at the bank’s contact centre to access and amend customer accounts, leaving account holders exposed to additional fraud risk. Meanwhile the Commission’s €530 million fine against TikTok is on hold after the Supreme Court issued a unanimous ruling dismissing a procedural appeal by the DPC. According to ComplianceHub, The ruling has precedent implications for Meta, Google, and other major tech firms headquartered in Ireland.
Turning to the EU, the European Data Protection Board marked the 10th anniversary of the GDPR’s adoption, noting it was the first comprehensive data protection framework spanning an entire continent. The board has also launched a consultation on a harmonised DPIA template to promote greater consistency in data protection impact assessment practices across Europe. Separately, the EDPB opened a public consultation on draft guidelines on how GDPR applies to scientific research.
Links we liked
Microsoft is phasing out SMS MFA for personal accounts. MORE
AI-assisted hackers are waiting to strike, no skills required. MORE
Mat Honan’s thoughtful essay for MIT Technology Review on AI malaise. MORE
SANS’ free framework helps security pros build a mature AI adoption plan. MORE
The death has occurred of Ask Jeeves, beloved natural language search engine. MORE
Rustinel is an open source endpoint detection tool for Windows and Linux. MORE
A live index of security incidents disclosed in United States SEC filings. MORE
Gaps have emerged in Irish organisations’ readiness for NIS2. MORE
The HIPAA cybersecurity rule (23 this year) is getting an upgrade. MORE
Plan, run and evaluate cybersecurity exercises with this ENISA tool. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.
Sign up here
