- Key insight: For the first time in the Data Breach Investigations Report's 19-year history, exploiting unpatched software overtook stolen credentials as the most common way attackers break in.
- What's at stake: The report maps where banks' customer data is most exposed: through unpatched software and the outside vendors banks increasingly rely on.
- Supporting data: Industry-wide, third-party involvement in breaches jumped 60% in a year, to 48%; in financial services a vendor figured in 34%.
Overview bullets generated by AI with editorial review.
For nearly two decades, the most common way hackers broke into organizations was a stolen password. Last year, unpatched software overtook it.
Verizon detailed the shift in the 2026 edition of its
The report's chapter on finance and insurance counts 3,809 security incidents in the sector over that span, of which 1,300 were confirmed data breaches. Financial gain motivated 98% of the breaches, and outsiders carried out 88% of them.
The sector remains a favorite target because its core business is handling money, according to the report.
For bank security teams, the report suggests danger is shifting toward unpatched software and the vendors in banks' IT supply chains, and away from the stolen credentials that topped the list for years.
Break-ins overtake log-ins
Across all industries, exploiting software vulnerabilities was the way bad actors got in for 31% of breaches, surpassing stolen credentials for the first time the report has measured.
Credential abuse fell to 13%, though the report cautioned that stolen credentials still play a role in 39% of breaches.
Verizon said artificial intelligence is partly responsible because it helps less-skilled attackers exploit known software flaws faster than before.
Vulnerability exploits have overtaken credential abuse in financial services, too.
Attackers broke in by exploiting vulnerabilities in 22% of the sector's breaches, by phishing in 20% and by using stolen credentials in 15%, according to the report.
Regardless of entry method, attackers consistently do the same thing once they're in. "System Intrusion," the report's label for its more complex, ransomware-driven attacks, has been the top breach pattern in finance since 2022.
Together with social engineering and a catchall category the report labels "Everything Else," it makes up 81% of the sector's breaches.
Risk runs through vendors
Outside vendors have become an increasingly common doorway into companies, including banks. Across industries, the share of breaches involving a third party jumped 60% from the prior year, to 48%.
In financial services, a third party was involved in 34% of breaches, and the human element, the report's term for someone who gets tricked or makes a mistake, showed up in 65%.
Increasingly, the report said, attackers phish a bank's vendors as a way in.
That pattern played out last year in a ransomware attack on Marquis Software Solutions, a marketing and compliance vendor to financial institutions.
In that breach, attackers
The stolen records included Social Security numbers, dates of birth and account information. That tracks with what the DBIR found gets compromised most often in the sector: internal business data in 53% of breaches, personal data in 43% and credentials in 26%.
The people problem, and an AI wrinkle
Phishing is still the most common way attackers manipulate people in the sector, the report found, showing up more than twice as often as pretexting, a con in which the attacker builds a fake scenario to get someone to grant access.
Attackers are changing the phishing methods they use. In the DBIR's own phishing tests, people clicked on traps sent by voice or text message 40% more often than on emails.
The sector's own insiders accounted for 12% of breaches, down from 22% a year earlier, though the report said those incidents are mostly accidents rather than sabotage.
The exposure on the horizon is artificial intelligence inside the building. Nearly half of employees (45%) are now regular users of AI tools on company devices, up from 15% a year earlier, and two-thirds (67%) reach those tools through personal accounts.
Verizon calls the practice shadow AI and ranks it the third most common way employees accidentally leak data. The DBIR lists it as the next big thing against which companies need to guard.
