By Roy Urrico
The Identity Theft Resource Center (ITRC) revealed the number of data compromises reported in the U.S. surpassed two significant milestones in 2023: the highest number of data events reported and exceeding 2,000 (and ultimately 3,000) events for the first time in a single year. The total number of reported data breaches, exposures, leaks and unspecified events reached 3,205, impacting an estimated 353,027,892 victims.
The ITRC, an El Cajon, Calif.-based national nonprofit organization that supports identity crime victims, released its 2023 Annual Data Breach Report recently at the Identity, Authentication and the Road Ahead Cybersecurity Policy Forum hosted by the Better Identity Coalition, the FIDO Alliance and the ITRC.
The ITRC tracked 1,404 more data compromises in 2023 than in 2022 and 1,345 more than the previous high in 2021. Healthcare (809 compromises) and financial services (744) were the most compromised industries in 2023. Both industries, along with transportation (101), also reported more than double the number of compromises compared to 2022.
In addition to the number of data compromises, the ITRC report also examined the root causes and types of data compromised as well as trends and solutions. "There is never any one reason why compromises go up or action you can take that will completely prevent data breaches and identity crimes," said Eva Velasquez, president and CEO of the ITRC.
Velasquez added, "Rather than dwell on the past, we are focused on what we can do moving forward to reduce the impact on victims. It starts with finding ways to reduce the value of personal information to identity criminals and seeking ways to improve the breach notice process to help protect both people and businesses." She continued. "These are startling findings, but they are a stark reminder that there is much work to be done to improve data protection and help victims recover when their personal information is misused."
Despite the upsurge in compromises, the number of victims impacted in 2023 decreased from 2022 (425,212,090). The report maintained this is consistent with a general trend of the number of estimated victims dropping slightly each year due to organized identity criminals focusing on specific information and identity-related fraud and scams rather than mass attacks. In addition, these numbers only estimate the victim count because data breach notices increasingly lack detailed information, according to the ITRC (see below).
Some other findings:
Publicly traded companies withheld information about an attack in 47% of notices compared to 46% of other organizations.
While healthcare led all industries in terms of the number of reported compromises in each of the past five years, utility companies led in the estimated number of victims in 2023 with about 73 million. Healthcare had about 56 million victims and financial services had an estimated 61 million victims.
Most data compromises were due to cyberattacks. Phishing-related and ransomware occurrences were down slightly, while Zero Day attacks (a vulnerability unknown to its owners) jumped significantly compared to previous years.
Supply Chain Attacks
Two clear trends emerged in 2023, according to the ITRC study, beyond the dramatic rise in overall data compromises: 1) an equally dramatic increase in the number of organizations impacted by supply chain attacks, and 2) the further breakdown in the breach notification framework.
The ITRC disclosed supply chain attacks, also known as third-party vendor attacks, typically fall into one of the primary root causes of a compromise, most often a cyberattack though phishing, ransomware or malware. Organizations impacted by these types of attacks surged by more than 2,600 percentage points since 2018. The estimated number of victims also rose 1,400 percentage points in that time frame.
A supply chain attack can also come in the form of breaching a single organization and stealing information from multiple companies, or using flaws in a single product or service used by multiple companies to access the personal information stored in their databases.
The report explained, “A single supply chain attack can directly or indirectly impact hundreds or thousands of businesses that rely on the same vendor. Stronger reporting requirements can help warn other vulnerable businesses of the risk associated with a similar attack.”
Lack of Information
The ITRC report suggested, “The two-decade old legislative and regulatory framework designed to alert consumers to breaches is broken…We need to bring a level of uniformity to the breach notice process to help protect both consumers and business.”
The Annual Data Breach Report noted in 2023, 1,400 public breach notices did not contain information about an attack vector compared to 716 in 2022. The 358 notices from publicly traded companies represented 11% of the overall number of compromises. Yet, public companies accounted for 40% of all data compromise victims. Since 2018, the percentage of notices with actionable information has dropped from about 100% to 54%.
In her “Letter from the CEO” to introduce the annual study, Velasquez said: “On July 1, 2003, the world’s first law that required consumers to be notified their personal information had been compromised in a data breach went into effect in California.” She added, by the end of 2005, 156 other organizations had issued breach notices tracked by the ITRC and a handful of states adopted a California-style breach notice law. Fast forward to 2018 when the final two states adopted breach notice requirements, following the lead of 90 other countries, all U.S. territories, and the District of Columbia.”
Velasquez added, “However, Congress did not enact a federal breach notice law. The result was a patchwork of state laws and federal regulations with different definitions of PII (personal identifiable information) triggers for a notice, methods of notification, time frames for issuing a notice, and penalties for failing to issue a notice.”
Velasquez pointed out in the years between 2005 and 2018, technology advanced and identity criminals’ skills improved. “Paper documents in file cabinets accessible in locked rooms were replaced by cloud environments accessible via the internet.” She noted off-the-shelf hacker tools lowered the barrier to entry for launching attacks and the wealth of PII available from data breaches and identity scams made it easy to impersonate an individual or business using social engineering.
“Identity criminals shifted from lone individuals hacking for fun and street cred in their parents’ basement to highly sophisticated groups operating out of glass and stone towers in far-away lands. Hollywood shows us people in hoodies while the real identity criminals flash cash, drive Lambos and operate call centers.”
(Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA no later than 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.)