As part of its mission to help educate businesses about identity crimes, the Identity Theft Resource Center has released its annual data breach report. Learn about three troubling trends discussed in that report.
The Identity Theft Resource Center (ITRC) is a non-profit organization established more than two decades ago to help businesses and consumers minimize the risk and impact of identity crimes. Part of its mission is to educate businesses and consumers about identity crimes, including how the perpetrators use data compromise attacks to get the personal information they need. To accomplish the latter, the ITRC publishes an annual data breach report that discusses the number of data compromise attacks, their attack vectors, and more.
The ITRC recently released the “2021 in Review – Annual Data Breach Report“. To create this report, ITRC researchers gathered information about data compromises that were publicly reported in the United States in 2021. This information was collected from a variety of sources, including government agencies, company announcements, and recognized security research firms. Here are three troubling trends that the researchers discovered when they analyzed the information:
In 2021, there were 1,862 data compromises reported in the United States — an all-time high. More than 293 million people were victimized by these incidents.
Data compromises include data breaches, data exposures, and data leaks. The vast majority (96.0%) of the 1,862 data compromises were data breaches. Far less common were data exposures (3.0%) and data leaks (0.4%). The type of data compromise was not indicated in 0.6% of the cases.
Here is how the ITRC distinguishes between these three types of data compromises:
In the past, cybercriminals typically compromised personal data about consumers to carry out identity crimes against them. That’s no longer the case. When the ITRC researchers were analyzing information from the publicly reported data compromises in 2021, they found that a shift had occurred.
“The personal information of consumers remained valuable to cybercriminals, but individuals were not the primary target for most identity crimes committed in 2021,” said Eva C. Velasquez, president and CEO of ITRC. “Instead, consumer information was often the means to the end of attacking businesses through stolen credentials — logins and passwords — or social engineering where savvy cybercriminals tricked people into revealing information needed to launch an attack.”
In addition, the researchers found that most identity crimes were fueled by consumer information stolen from businesses in data breaches. In other words, cybercriminals stole consumer data from companies so they could get the information and credentials needed to perform more attacks against companies.
For the past two years, security experts have been warning companies about a troubling trend: Ransomware gangs are increasingly stealing data before encrypting it. The ITRC researchers’ findings confirm that this trend is indeed occurring.
When the researchers analyzed the 1,862 data compromises that occurred in 2021, they found that:
Digging deeper, the researchers discovered that the top two types of cyberattacks used were phishing (33%) and ransomware (22%). This doesn’t seem too noteworthy until you put it into perspective. Just two years ago, phishing was used a lot more (53%) and ransomware a lot less (9%). “At the current growth rate, ransomware attacks will pass phishing as the number one root cause of data compromises in 2022,” according to the “2021 in Review – Annual Data Breach Report.”