There was a huge increase in data compromises in 2023 but a fall in the number of individuals affected by those incidents, according to the Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report. There was a 78% increase in publicly reported data compromises in 2023 with 3,205 incidents reported which is a 72% increase from the previous high-water mark of 1,860 data compromises that was set in 2021. The increase in incidents is staggering, as ITRC CEO Eva Velasquez explained. “Just the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017).”
Even with such a high percentage increase, the estimated number of individuals affected by data compromises fell by 16% year-over-year to 353,027,892 individuals. ITRC reports that there is a general downward trend in the number of individuals affected by data breaches as criminals are focusing on quality rather than quantity and are searching for specific information that can be used for identity-related fraud and scams rather than conducting mass attacks.
Healthcare Tops List for Most Data Compromises
The ITRC data show that healthcare leads all industries in terms of the number of reported compromises, as the industry has done for the past 5 years. In 2023 ITRC tracked 809 healthcare data compromises with around 56 million victims, up from 343 compromises the previous year and around 28 million victims. Financial services and transportation round out the top three and all three of those sectors reported more than twice the number of compromises as the previous year. Utilities topped the list in terms of victim count with 73 million victims, yet reported just 44 reported incidents. The companies worst affected by data compromises in 2023 were T-Mobile, which had a breach that affected an estimated 37 million customers, followed by Xfinity (36M) and PeopleConnect (20M).
It is not possible to provide a simple answer as to why data breach numbers fluctuate. “We must acknowledge the significant impact of supply chain attacks and the effect they have on all organizations,” said Velasquez. “A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor.” Since 2018, the number of organizations impacted by supply chain attacks has increased by a staggering 2,600% and the number of victims has increased to more than 54 million – 15% of the overall number of victims in 2023.
The Consumer Breach Reporting Framework is Broken
Velasquez believes that stronger reporting requirements are necessary to help warn other vulnerable businesses of the risk associated with a similar attack as well as increased due diligence when it comes to vendors and data protection. Another issue highlighted by Velasquez is the legislative framework that was implemented more than two decades ago to warn consumers about data breaches is simply not working. “A Supply Chain Attack victim from 2020 confirmed in 2023 what was suspected for years: Businesses under or non-report breaches,” said Velasquez.
Velasquez was referring to Blackbaud, which suffered a cyberattack in 2020 that affected millions of individuals. Blackbaud was investigated and settled the multistate action and paid a penalty of $49.5 million. The settlement agreement confirmed that Blackbaud notified around 13,000 customers that they had been affected, yet only 604 organizations filed public notices tracked by the ITRC. “We need to bring a level of uniformity to the breach notice process to help protect both consumers and business,” said Velasquez.
Cyberattacks topped the list of the most common attack vectors with 2,365 reported compromises, although across all industry sectors, ITRC reports that phishing attacks were down (438 incidents) as were ransomware attacks (246 incidents), although reports from cybersecurity companies suggest that ransomware attacks increased. Guidepoint Security’s recent ransomware report showed an 80% year-over-year increase in ransomware activity.
Over the past few years, there has been a trend of increasing opaqueness with data breach disclosures. ITRC said more than 1,400 public data breach notices did not contain information about the attack vector, and that number has almost doubled since 2022. It is not only the root cause of data breaches that is being withheld. The ITRC reports a growing trend in withholding other information such as victim counts. “Actionable notices, those containing victim counts and attack vector details, declined from 60% in 2022 to 54% in 2023,” explained the ITRC in the report.
Problems and Solutions
The increase in data compromises by financially motivated and Nation/State threat actors in 2023 is likely to drive new levels of identity theft and fraud in 2024, with the ITRC particularly concerned about impersonation and synthetic identity fraud. Criminals are likely to combine stolen data with generative AI which will lead to increasingly sophisticated phishing attacks and other forms of identity fraud and scams, although the biggest threat from generative AI will continue to be misinformation and disinformation.
The ITRC is calling for a uniform breach notice law, rather than the current patchwork of federal and state laws to bring uniformity to data breach notices and ensure that consumers are given the information they need to make an informed decision about the risk they face. To better protect consumers from identity theft and fraud, the ITRC believes there is a clear need for the expansion of facial verification along with digital credentials. This would also help lower the overall value of compromised personally identifiable information to bad actors.
Given the increase in supply chain attacks, organizations need to conduct due diligence on vendors, and knowing the breach history of a company is an important aspect of assessing risk. The ITRC will soon be launching a due diligence and alert tool for businesses – Breach Alert for Business (BA4B) – that will help them comply with state and federal requirements for cyber risk assessments on vendors and better understand the risks within their supply chains.
The post ITRC: Data Compromises Reach All Time High in 2023 appeared first on HIPAA Journal.