Financial sector hit hard by breaches but ransomware seeks targets elsewhere

12 Dec 2025, 14:56 by Ian Barker · BetaNews

The banking, financial services and insurance (BFSI) sector has been the most targeted in 2025 accounting for 17.8 percent of all incidents (172 incidents out of 966) tracked in Cyble’s latest North American Threat Landscape Report.

The report describes a mature leak economy where a small cluster of prolific actors generate many listings, supported by a large ‘long tail’ of smaller sellers -- meaning BFSI data can be sourced by both major brokers and many opportunists.

Cyble observed 657 compromised-access listings in 2025. BFSI was the second most targeted industry (105 incidents) in that underground economy behind only retail (132 incidents). BFSI’s prominence in the access-broker market increases the downstream risk of large breaches, ransomware deployment, and direct financial theft, because many attacks start with a purchased foothold rather than a fresh compromise.

Ransomware attacks against finance are down, however, despite it remaining a significant threat overall. The data records 3,726 ransomware attacks in 2025, with the BFSI sector experiencing only the seventh most attacks amongst industries counted (162 ransomware incidents). Cyble attributes the sector’s lower volume of attacks to a recent maturation of cybersecurity controls and strong regulatory oversight in financial institutions. Construction tops the list of ransomware targets, the industry’s growing reliance on digital project management systems, contractor networks, and interconnected operational workflows having expanded its attack surface significantly.

The report’s authors note that the ransomware surge “…was fueled by a thriving market for initial access and data leaks, which disproportionately affected the retail and BFSI sectors due to the high value of monetizable financial and personal data. Threat actors routinely exploited high-severity vulnerabilities in perimeter devices and employed advanced phishing techniques to bypass multi-factor authentication.”

The full report, with details of the most notable breaches and leaks, is available from the Cyble site.

Image credit: Wavebreakmedia/depositphotos.com