Daily Briefing for 04.24.25

At a glance.

• Verizon's DBIR finds that third-party breaches have doubled.
• ToyMaker provides initial access for extortion gangs.
• Blue Shield of California discloses breach of health data.

Verizon's DBIR finds that third-party breaches have doubled.

Verizon has released its 2025 Data Breach Investigations Report (DBIR), finding that the percentage of breaches involving a third party has doubled to 30% compared to last year's report. Most of these incidents involved system intrusion, which Verizon says "encapsulates all the breaches and incidents that leverage a diversity of techniques, predominantly hacking techniques and malware, with a dash of social engineering."

Additionally, exploitation of vulnerabilities for initial access grew by 34% and now accounts for 20% of breaches. The researchers say this increase was partly driven by exploitation of zero-days affecting edge devices and VPNs, noting, "The percentage of edge devices and VPNs as a target on our exploitation of vulnerabilities action was 22%, and it grew almost eight-fold from the 3% found in last year’s report."

The presence of ransomware also increased by 37%, despite a decrease in the median ransom payout from $150,000 to $115,000.

ToyMaker provides initial access for extortion gangs.

Cisco Talos has published a report on a financially motivated initial access broker dubbed "ToyMaker" that works with double extortion and ransomware gangs. The researchers note, "ToyMaker has been known to use a custom malware family — a backdoor Talos tracks as LAGTOY. ToyMaker usually infiltrates an organization's environment by successfully exploiting a known vulnerability in an unpatched internet-facing server. Successful compromise almost immediately results in rapid reconnaissance of the system."

Talos has observed ToyMaker handing over access to the Cactus double extortion gang, allowing Cactus to attack a critical infrastructure enterprise.

Blue Shield of California discloses breach of health data.

Blue Shield of California has disclosed a data breach after it mistakenly exposed health information of 4.7 million people to Google's analytics and advertisement platforms, BleepingComputer reports. The health insurance provider said the breach was caused by a misconfiguration of Google Analytics on some of its websites.

Blue Shield stated, "On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone."

The exposed data may have included the following: "Insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and 'Find a Doctor' search criteria and results (location, plan name and type, provider name and type)."