Identity Security Predictions for 2025 - Q1 Update

We kicked off Season 3 of the AppGov Preventive Maintenance series by focusing on 4 things:

1. A year in review - 2024’s largest security breaches
2. Where we believe Microsoft is heading with helping customers improve their overall security posture with technologies deployed in Azure and Microsoft 365
3. Reaffirming our approach to security
4. Our predictions for 2025

Let’s unpack what Nic and I discussed during that session and where we are a few months later at the end of Q1.

What Cybersecurity Breaches happened in 2024? 

This is our list of the top 9 breaches, in no specific order. 

1. National Public Data (NPD) Breach

What: In August 2024, NPD, a consumer data broker, confirmed a breach that exposed about 2.9 billion individuals' personal information, including social security numbers, addresses, and phone numbers. Passwords and usernames were also exposed.

Cause: Traced back to a security lapse in December 2023, which allowed cybercriminals to access and sell the stolen data.

Broader Implications: The data leak heightened the risk of identity theft and fraud. NPD faced lawsuits due to its failure to protect personal data. The lawsuits caused NPD a financial strain, resulting in its filing for bankruptcy. The breach brought awareness to the need for stricter data protection strategies.

2. UnitedHealth Group Ransomware Attack

What: In February 2024, UnitedHealth Group faced a massive ransomware attack on its subsidiary, Change Healthcare, exposing the private data of over 150 million individuals in the United States.

Cause: The Black Cat ransomware group was found responsible. They exploited a compromised account lacking multi-factor authentication (MFA). They used the credentials to gain unauthorized access to Change Healthcare’s systems.

Broader Implications: The breach disrupted healthcare services around the U.S.  UHG paid the hackers a $22 million ransom, though additional threats may have led to a second ransom payment. The cost of response added up to approximately $2.87 billion in 2024. The breach highlighted the need for an advanced cybersecurity plan to protect sensitive information in the healthcare sector.

3. Snowflake Data Breach

What: Starting in April 2024, more than 100 customers of Snowflake, Inc., a cloud data platform, were affected by hackers who accessed and stole vast amounts of customer data, including call records and financial records.

Cause: Cybercriminal group, tracked as 'UNC5537', stole customer credentials lacking MFA from more than 165 organizations.

Broader Implications: Organizations faced significant financial losses and lawsuits. The incident emphasized vulnerabilities in cloud data platforms and prompted organizations to review their security protocols, such as reinforcing MFA, user education, and enhanced endpoint security.

4. MediSecure Breach

What: In April 2024, MediSecure, an electronic prescription company, was made aware of an attack that affected about 12.9 million Australians. The data that was stolen included names, birthdates, addresses, healthcare identifiers, Medicare numbers, and prescription details.

Cause: The company identified the breach as a ransomware attack via a third-party vendor.

Broader Implications: The attack caused disruptions to operations between healthcare providers and pharmacies, led to company insolvency, and impacted patients’ trust in digital healthcare services. It demonstrated the need for strategic cybersecurity practices.

5. Internet Archive Breach

What: In October 2024, an incident exposed about 31 million users' personal email addresses and passwords. The Internet Archive also experienced service outages due to DDoS attacks. Users were notified on the JavaScript alert on the organization’s site.

Cause: The hackers used unrotated tokens or digital keys that give access to systems to breach the Internet Archive.

Broader Implications: As a result, concerns were raised about the cybersecurity practices of the Internet Archive. It also heightened the risk of credential stuffing attacks, especially for those who used similar passwords across multiple sites. This breach emphasized the need for individuals to use strong passwords and use MFA when possible.

6. Halliburton Cyberattack

What: In August 2024, an oilfield service provider had to shut down some of its internal systems after becoming aware of unauthorized access to its systems.      

Cause: A third party gained access to data and removed data from its system, causing disruption to its business applications.

Broader Implications: Due to the attack, Halliburton shares declined and impacted their free cash flow because of delayed billing and collections. The breach highlights the ongoing threat of cyberattacks on important infrastructure and large corporations.

7. Ivanti Zero-Day Incident

What: Ivanti, a company that specializes in IT management and security solutions, suffered from unauthenticated attackers gaining administrative privileges.

Cause: The exploitation of vulnerabilities within Ivanti Connect Secure, Policy Secure Appliances, and Endpoint Manager.

Broader Implications:  The vulnerabilities allowed unauthorized access and remote code execution, affecting organizations globally, including government agencies. The breach was particularly severe as it affected critical infrastructure and government agencies, including CISA (Cybersecurity and Infrastructure Security Agency).

8. LoanDepot Incident 

What: A mortgage lender experienced a data breach, causing the personal information of about 16.9 million individuals to be compromised. Information included names, email addresses, Social Security numbers, and financial account numbers.

Cause: The ALPHV/BlackCat ransomware group claimed responsibility for the attack.

Broader Implications: The attack led to widespread system outages that prevented customers from accessing their accounts and making mortgage payments. LoanDepot paid out more than $86.6 million in a settlement to data breach victims. This attack highlighted the importance of robust security measures, especially in the financial services industry.

9. Infosys Breach

What: In September 2024, Infosys McCammish Systems announced a major breach potentially affecting 6.5 million records. Unauthorized actors infiltrated their network, compromising sensitive information.

Cause: LockBit took responsibility for the Infosys attack and implanted ransomware across the Infosys network, locking over 2,000 devices.

Broader Implications: The attack caused operational disruptions and led to lawsuits. Infosys agreed to pay $17.5 million in settlement costs, leading to a financial strain on the company. It underscored the significance of implementing and maintaining cybersecurity protocols to prevent attacks.

2024 - 2025 Cyber Threat & Cyber Attack Trends

As you can see, it hasn’t stopped. In fact, it has gotten worse. I don't know anyone who doesn't sit up and drink their coffee faster with the possibility of spitting it out when they see these reports, and watch them grow. The sheer scale and numbers are staggering.

Some other fearful stats from Microsoft’s Digital Defense Report of 2024.

• 775 million email messages contain malware (July 2023 - June 2024)
• 54% of phishing campaigns targeting consumers impersonated online software and service brands
• 7000 password attacks blocked per second over the past year

Figure 1: Increase in attacks. Microsoft’s Digital Defense Report of 2024.

And since we focus predominantly on Microsoft technologies, where is Microsoft in all of this? What have they been doing to combat the increase in cyberattacks in 2024 and now? Remember, for Microsoft, Security is a multi-billion-dollar industry.

Microsoft's Secure Future Initiative 

Figure 2. Microsoft Secure Future Initiative

Microsoft's Secure Future Initiative (SFI) is a comprehensive cybersecurity transformation program launched in November 2023 to address evolving threats and internal security challenges. It represents the company’s largest-ever cybersecurity engineering effort, involving over 34,000 engineers and integrating security into every aspect of product development and operations.

Secure by Design

This pillar ensures security is embedded into the foundational architecture of products and services. Key components include:

• Security-first culture: Employees are evaluated on security contributions, with performance metrics tied to security outcomes.
• Risk mitigation: Proactive threat modeling and vulnerability assessments during the design phase to minimize attack surfaces.
• Zero Trust principles: Network security redesigns prioritize least-privilege access and continuous verification of user/device trustworthiness.

Secure by Default

Microsoft enforces stringent security configurations as standard settings, requiring no manual intervention:

• Automated protections: Access token signing keys are managed via Azure hardware security modules, and SSH access is disabled for internal repositories.
• Reduced attack vectors: Dormant tenants (e.g., inactive accounts) are systematically removed, and personal access tokens are limited to seven-day validity.
• Enforced policies: Optimal security standards are now mandatory for customers, replacing optional recommendations.

Secure Operations

This pillar focuses on continuous monitoring and improvement of security controls:

• Centralized inventory systems: Over 99% of physical networks are tracked for firmware compliance and logging.
• Enhanced transparency: Microsoft proactively publishes Common Vulnerabilities and Exposures (CVEs), even when no customer action is required.
• Audit retention: Logs are retained for at least two years to support forensic investigations.

The SFI’s three pillars work synergistically to create a layered defense strategy, prioritizing security over feature rollouts and addressing external critiques of Microsoft’s past practices.

In November of 2024, Microsoft released an update to the original SFI initiative. More can be read here via the November update link.

Added to that, the investment in adopting the Open Group’s Zero Trust architecture and building it into all of their security products, from a design perspective, ensures that organizations have the necessary patterns and practices at hand so that they can achieve a better security posture. Also, this is mine and Nic’s unofficial security bible. We have spoken repeatedly about using Zero Trust as the basis for everything security in the world.

In fact, we even helped Microsoft build out their Zero Trust Adoption Framework… which is our crowning achievement. So yes, we are a little more passionate about ZTA (Zero Trust Architecture) than most.

Figure 3. Microsoft Zero Trust Architecture.

Our predictions for 2025:

There really is just 3. And it’s quite simple. And if 2 of the 3 show up, which we have now seen Microsoft create a new form of matter for its quantum computing processor, it's guaranteed that in the not-so-distant future, things will accelerate as fast as Majorana.

Hacking to increase

Hackers will find more mechanisms for fooling people into believing that the “link” is real. It’s not going to slow down. People need to become more vigilant when clicking on links.

Uncensored AI

As much as the conventional AIs (ChatGPT, Copilot, Gemini, etc) are properly governed, you can deploy your very own AI into whatever environment you have (self-hosting). And then you get to do whatever you want. We’ve seen chatbots like WormGPT and, more recently, GhostGPT show up on the dark web, which means that hackers have unfettered access to bad AI. AI that will help hackers, well, hack.

Quantum Computing

When we ran the episode at the beginning of the year, Microsoft had not made its announcement yet, but we called it. Quantum computing will greatly accelerate hacking techniques like brute force and decryption, bringing it down from multiple years, to dare we say, days. This poses a massive threat to the world of encryption.

There you have it, people. Our state of the security nation address, with predictions for 2025. We believe that all roads lead to securing those human and non-human identities you have in your environment, which is why Nic and I will remain vigilant.

We will fight the good fight to educate and improve Identity Security Posture Management

We will continue to pester our audience about the benefits of Identity Security Posture Management, and if it means we must go door-to-door to make sure that you follow the principles of Zero Trust, we will.

Remember to R.E.A.D.

R – Restrict access to resources in your environment.
E – Encrypt your data and backups.
A – Access Control, lock down access and authorization to your estate.
D – Defense, monitor everything happening in your environment, and build up defenses to combat any attacks.

Want to dive even deeper into Identity Predictions? Watch the full webinar
on-demand here.