Over 70% of organizations hit by identity breaches
Attackers rely on stolen credentials, compromised service accounts, and social engineering attacks targeting employees, according to Sophos’ The State of Identity Security 2026 survey.
What do you estimate to be the overall cost to your organization to rectify the identity breach? Base: organization could not stop the security breach. n=510. (Source: Sophos)
Identity attack trends
A survey of 5,000 IT and cybersecurity leaders across 17 countries found that more than 70% of organizations were affected by at least one identity-related breach in the past 12 months. Switzerland had the highest breach rate, followed by Mexico and Italy. Germany, Colombia, and Japan had the lowest rates, though each still exceeded 60%.
The energy, oil and gas, utilities, and federal government sectors recorded the highest breach rates. IT, telecoms, and healthcare had the lowest, which may reflect stronger security investment in those sectors.
Compliance difficulties can indicate broader security weaknesses, with companies that struggle with compliance recorded higher breach rates.
Most respondents that experienced an identity-related breach in 2025 detected and stopped the attack before it caused damage. Smaller companies were less likely to detect attacks, increasing the risk of severe consequences.
Although Switzerland recorded a high breach rate, Brazil had the highest rate of detection failures, leaving firms in both countries particularly exposed.
Across industries, media, leisure, and entertainment had the highest detection failure rate, followed by manufacturing and financial services. Healthcare performed best, possibly because of regulatory pressure to invest in threat monitoring.
Ransomware tied to identity compromise
Researchers also identified a strong link between identity attacks and ransomware. Two-thirds of organizations hit by ransomware said the incident was connected to their most significant identity attack, suggesting that identity compromise is a major ransomware delivery mechanism.
The link was strongest in organizations with 1,001–3,000 employees and weakest in those with 100–250 employees. Higher education and transportation reported the strongest connection between ransomware and identity attacks, while financial services, IT, technology, and telecoms showed lower rates.
Cost and impact of identity breaches
For the 510 firms that failed to stop a major identity attack, the damage was serious and involved multiple issues.
On average, each suffered two major consequences. About half reported data theft, nearly half were affected by ransomware, and 46.7% lost money through fraud or stolen funds. Another 43.9% encountered extortion.
The findings show that undetected identity attacks often result in significant financial and operational damage. A combination of human, process, and technical failures contributed to identity-based attacks, with respondents identifying an average of two root causes per incident.
Weak human identity management was the most common reason organizations fell victim to attacks. Larger companies frequently cited human error and weak identity management as contributing factors.
The global mean recovery cost was $1,637,363, while the median cost was $750,000.
Identity security weaknesses
The survey examined five identity management activities and how often firms performed them. The results revealed gaps between best practices and day-to-day operations that increase exposure to identity attacks.
Real-time monitoring was the most common activity, though more than half of companies checked for unusual login attempts no more than once every three months. Only 34.3% rotated and audited non-human identities (NHIs) weekly or more often, while 11.1% did so continually. Identity governance policy reviews were the least frequent activity, with one-third reviewing policies no more than quarterly and 22.6% reviewing them only every six months.
Organizations with weak NHI management were 22% more likely to experience financial theft and 24.4% more likely to encounter extortion. They also reported recovery costs from identity breaches that were $147,178 higher on average.
Download: The IT and security field guide to AI adoption