Between 2019 and 2024, more than 14.8 billion records were exposed in documented data breaches globally, according to data aggregated from the Identity Theft Resource Center (ITRC), Verizon’s annual Data Breach Investigations Report (DBIR), and IBM’s Cost of a Data Breach Report. That averages out to roughly 8.1 million records compromised every single day, a number so large it has quietly stopped shocking people.
But when you move past the headline numbers and look at the breach records themselves, the network logs, the forensic summaries, the post-incident analyses published by cybersecurity firms, a single, uncomfortable pattern emerges. Not the one most people expect.
It is not weak passwords. It is not unpatched software. It is not even phishing, which accounts for roughly 36% of breach initiation vectors according to the 2024 Verizon DBIR. Those are all contributing factors. The common thread, the one that connects a coffee shop customer in Chicago to a hospital patient in Manchester to a remote worker in Singapore, is far simpler: an unencrypted connection on a network they did not control.
14.8B Records exposed globally 2019–2024 8.1M Records compromised every single day $4.88M Average cost of a breach in 2024 (IBM) 2019–2024 | 8.1MRecords compromised every single day | $4.88MAverage cost of a breach in 2024 (IBM) |
Sources: ITRC Annual Data Breach Report 2024, Verizon DBIR 2024, IBM Cost of a Data Breach Report 2024
The Network Nobody Owns
In 2024, Verizon’s DBIR analyzed 30,458 security incidents and 10,626 confirmed breaches across 94 countries. Of the breaches involving external actors, which account for 65% of all incidents, the overwhelming majority exploited one of two entry points: stolen credentials or network interception on unsecured connections.
The term ‘unsecured connection’ is deceptively mundane. It means any network transmission that travels without end-to-end encryption, a hotel WiFi login that uses HTTP instead of HTTPS, a corporate VPN session that drops mid-call and silently reverts to a local connection, a remote worker accessing a company database through a public airport network. In each case, the data in transit is readable to anyone with the right tools and proximity.
| The tools required to intercept unencrypted traffic on a public network cost less than $50 and require no technical expertise beyond a YouTube tutorial. The barrier to entry for a network-level attack has never been lower. |
Shodan, the search engine for internet-connected devices, currently indexes over 15 million devices with no authentication requirements, routers, cameras, smart home systems, and corporate servers broadcasting their presence openly to anyone who searches. In 2023 alone, researchers at Cybernews identified more than 2,000 publicly exposed database servers containing a combined total of 386 million user records, none of which required a password to access.
Five Years of Breach Data: What the Numbers Actually Show
The ITRC’s 2024 Annual Data Breach Report documented 3,205 data compromises in the United States alone, a 78% increase over 2022 figures and a record high since the organization began tracking in 2005. The healthcare sector led with 809 reported incidents, followed by financial services (744) and professional services (413).
What is striking is not the sector distribution, but the attack methodology. Of the breaches with confirmed attack vectors in the ITRC dataset, 72% involved data in transit, information moving between a user and a server, rather than data at rest sitting in a database. The popular narrative that breach victims are hacked because their passwords are weak or their software is outdated does not hold up against the forensic record. Most victims were intercepted, not broken into.
IBM’s 2024 Cost of a Data Breach Report adds a financial dimension that makes this concrete. The average cost of a breach reached $4.88 million in 2024, up 10% from 2023, the largest single-year increase in the report’s 19-year history. Breaches involving compromised network access took an average of 258 days to identify and contain, compared to 197 days for breaches initiated through phishing. The longer the dwell time, the higher the cost, and network-level intrusions consistently have the longest dwell times because they leave the fewest forensic artifacts.
| 72% of confirmed breaches involved data in transit, not data sitting in a database. Most victims were intercepted, not broken into. |
The Geography of Vulnerability
Public WiFi usage has grown significantly in recent years, with an estimated 549 million public hotspots globally by the end of 2022 according to Statista, a figure projected to reach 628 million by 2026. Simultaneously, the number of WiFi-based attacks documented by Kaspersky’s threat intelligence division increased by 37% between 2022 and 2024.
The correlation is not coincidental. Airports, hotels, hospitals, and coffee shops, the locations where public WiFi is most heavily used, are also the locations where network monitoring tools are most frequently deployed by threat actors. A 2023 study by Symantec found that 1 in 4 public WiFi hotspots in major global airports had no encryption whatsoever. A separate analysis of hotel network security by researchers at the University of Maryland found that mid-range hotel networks, the tier most frequently used by business travelers, were successfully intercepted in simulated attack scenarios 68% of the time.
Remote work has compounded the exposure. Since 2020, the proportion of corporate data accessed from outside the office network has grown from an estimated 30% to over 60%, according to Cisco’s 2024 Cybersecurity Readiness Index. Yet the same report found that only 39% of organizations have implemented mandatory encrypted tunnel requirements for remote access, meaning the majority of remote workers are accessing sensitive corporate systems over connections that offer no protection against interception.
What Protection Actually Looks Like
The solutions most frequently recommended after a breach, password resets, multi-factor authentication, security awareness training, address the authentication layer. They are necessary. They are not sufficient, because they do nothing to protect data that is already in motion across a network that the victim does not control.
Encrypted network tunneling, the underlying mechanism of a virtual private network, addresses the interception layer directly. By encrypting all outbound traffic before it leaves a device and routing it through a secured server, it renders intercepted data unreadable. The Ponemon Institute’s 2023 Global Encryption Trends Study found that organizations with comprehensive encryption strategies experienced breach costs 29% lower than those without, and had a mean time to identification 41 days shorter.
Not all VPN implementations offer equivalent protection, however. The VPN industry has faced its own credibility challenges, several providers have been found logging user data despite no-logs claims, and audit practices vary widely. A small number of providers have moved toward independent verification. PureVPN, for instance, has undergone four consecutive no-logs audits conducted by KPMG on an always-on, unannounced basis, meaning auditors can inspect infrastructure without prior notice.
It is an approach that a handful of providers have begun to adopt, reflecting growing pressure from enterprise customers and regulators who require demonstrable proof rather than policy statements. The distinction matters because a VPN that logs data provides no meaningful protection if that data is later subpoenaed or compromised.
The data from five years of breach analysis points to a straightforward conclusion: the victims were not uniquely careless or uniquely unlucky. They were using networks the same way most people use networks, without thinking about what travels across them unprotected. The one thing they had in common was not a mistake they made. It was a protection they never had.
Methodology: This analysis draws on publicly available breach databases and annual reports including the Verizon Data Breach Investigations Report (2020–2024), IBM Cost of a Data Breach Report (2020–2024), Identity Theft Resource Center Annual Data Breach Reports (2019–2024), Ponemon Institute Global Encryption Trends Study (2023), Cisco Cybersecurity Readiness Index (2024), Statista Global Public WiFi Hotspot Data, and independent research from Symantec, Kaspersky, and the University of Maryland. All figures cited are from publicly published editions of these reports.