According to Sophos, 71% of organizations experienced at least one identity-related breach in the past year, with many suffering repeated incidents,
The cybersecurity company surveyed 5,000 IT and security leaders across 17 countries and found that organizations reported an average of three identity breaches each year. About 5% said they were hit six or more times, showing that attackers are repeatedly exploiting the same weaknesses.
Sophos said identity compromise has become a main entry point for ransomware. About 67% of ransomware victims in the survey said the attack started with an identity breach.
“The data shows that identity has become the primary attack surface in modern cybersecurity, and many organizations are losing ground,” said Ross McKerchar, chief information security officer, Sophos. “The non-human identity problem is particularly urgent. AI agents are being granted access faster than security teams can manage.”
Financial damage remains significant. The average recovery cost reached $1.64 million, while the median stood at $750,000. About 73% of affected organizations spent at least $250,000 to recover.
The report highlights that data theft (49%), ransomware (48%), and financial theft (47%) were the most common outcomes of identity breaches. Only 24% of organizations continuously monitor unusual login activity, while more than half check only every three months or less.
Detection gaps remain a major issue. About 14% of breached organizations said they failed to detect and stop the attack before damage occurred. Smaller firms with 100 to 250 employees were almost twice as likely to miss attacks compared to mid-sized companies.
Human error was a factor in nearly 43% of incidents, often involving employees being tricked into revealing credentials. Weak management of non-human identities, such as API keys, service accounts, and machine credentials, accounted for 41% of breaches. Organizations with weak non-human identity controls faced higher financial theft risk and spent about $150,000 more on recovery.
Critical infrastructure sectors were most exposed, with energy, oil and gas, and utilities reporting an 80% breach rate. Federal and central government agencies followed at 78%.
Sophos said organizations struggling with compliance were also more vulnerable, with an 82.4% breach rate compared to 68.3% among those with fewer compliance challenges.
The company warned that the proliferation of AI agents is making identity security more complex, as automated systems generate new credentials and access rights at scale, often without proper oversight.
It recommended stronger identity controls, including multi-factor authentication for all users, least-privilege access, removal of inactive accounts, and tighter management of non-human identities. Sophos also urged organizations to adopt Identity Threat Detection and Response tools and a Zero Trust security model.