ITRC: Data Compromises Reach Yearly Record; Financial Services Becomes Most Attacked Industry
By Roy Urrico
The old saying “records are made to be broken” unfortunately proved prophetic when it comes to data breaches in 2023. According to the ITRC’s Q3 2023 Data Breach Report, the total data compromises for the year reached 2,116, through the first nine months, passing the previous highest yearly total of 1,862 set in 2021.
The El Cajon, Calif.-based Identity Theft Resource Center (ITRC), a national nonprofit organization that supports identity crime victims, in releasing its U.S. data breach findings for the third quarter (Q3) of 2023 found there were 733 publicly-reported data compromises in the third quarter, a 22% decrease compared to the 941 compromises in the previous quarter.
Despite the quarter-over-quarter decline, the totals for the year have already topped any previous year with three months left to report. The estimated number of victims, however, remains well short of the 2022 pace, with 110 million victims in third quarter (compared with 66.7 million in the third quarter 2023) and 425 million for the full year (compared to 233.9 million through the first nine months of 2023).
“While setting a record for the number of data breaches is attention-grabbing, unfortunately, it is not surprising,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “There are a handful of reasons for the rise in data compromises, ranging from the drastic uptick in zero-day attacks to a new wave of ransomware attacks as new ransomware groups enter the criminal identity marketplace. Now that we have broken the previous annual data comprise record, the question remains: by how much?”
Bad News for Financial Services
The financial services industry displaced healthcare in the third quarter as the most attacked industry for the first time since the second quarter of 2022, according to the ITRC report. The number of financial institutions reporting data compromises jumped dramatically in the third quarter, with 204 notices issued, exceeding the total number of financial service compromises reported in the past two years (135). Healthcare companies reported 113 data compromises in this year’s third quarter. No other Industries reported compromise rates in triple digits.
According to the third quarter report, cyberattacks remained the most common root cause of a data breach with 614 breaches. Among the breach notices that reported an attack vector, phishing attacks were the most frequently reported cause (80). Next came zero-day attacks, (69), ransomware (64) and malware attacks (17).
Cybersecurity researchers in general point to the rising number of successful zero-day attacks. The ITRC noted a 1,620% increase in zero-day attacks reported in the first three quarters of 2023 (86) compared to all of 2022 (5). A zero-day vulnerability is a software susceptibility exposed by attackers before the unaware vendor or victim can patch it.
Additional findings in the Q3 2023 Data Breach Report analysis include:
· Supply chain attacks impacted a large number of entities in the third quarter, though not directly. Over 1,000 (1,321) companies reported data compromises as the result of an attack against 87 organizations, including many third parties using the MOVEit file transfer software, a product produced by Ipswitch, Inc.
· So far in 2023, a vulnerable MOVEit product impacted 344 U.S. organizations via a single or multiple vendor(s). An additional 79 organizations reported a direct impact result from attacks against MOVEit software or services. Four of the top ten compromises in third quarter related to a MOVEit attack.
· A new wave of ransomware attacks also contributed to the rise in compromises. The number of data breaches attributed to ransomware (186) now exceeds the number of malware attacks so far in 2023. However, malware is also up in 2023 with 106 related compromises versus 68 in full-year 2022.