3 Troubling Trends in Data Compromise Attacks

As part of its mission to help educate businesses about identity crimes, the Identity Theft Resource Center has released its annual data breach report. Learn about three troubling trends discussed in that report.

The Identity Theft Resource Center (ITRC) is a non-profit organization established more than two decades ago to help businesses and consumers minimize the risk and impact of identity crimes. Part of its mission is to educate businesses and consumers about identity crimes, including how the perpetrators use data compromise attacks to get the personal information they need. To accomplish the latter, the ITRC publishes an annual data breach report that discusses the number of data compromise attacks, their attack vectors, and more.

The ITRC recently released the “2021 in Review – Annual Data Breach Report“. To create this report, ITRC researchers gathered information about data compromises that were publicly reported in the United States in 2021. This information was collected from a variety of sources, including government agencies, company announcements, and recognized security research firms. Here are three troubling trends that the researchers discovered when they analyzed the information:

1. The Number of Data Compromises Reached an All-Time High

In 2021, there were 1,862 data compromises reported in the United States — an all-time high. More than 293 million people were victimized by these incidents.

Data compromises include data breaches, data exposures, and data leaks. The vast majority (96.0%) of the 1,862 data compromises were data breaches. Far less common were data exposures (3.0%) and data leaks (0.4%). The type of data compromise was not indicated in 0.6% of the cases.

Here is how the ITRC distinguishes between these three types of data compromises:

• Data breaches are events in which unauthorized individuals access and/or remove personal information from the place where is it stored.
• Data exposures are incidents in which personal data is available for access and/or removal from the place where it is stored, but there is no evidence that unauthorized individuals have done so. This typically involves cloud-based data storage in which cybersecurity protections are misconfigured or have not been applied.
• Data leaks involve personal information that represents no or low risk when viewed as individual records. However, when aggregated, the sheer volume of personal information available creates risk to the data subjects and value for identity criminals who specialize in social engineering and phishing. Data leaks occur when this information is left unprotected (e.g., willingly shared on social media, made publicly available). This category is new to the 2021 report.

2. Businesses Became the Primary Target for Identity Crimes

In the past, cybercriminals typically compromised personal data about consumers to carry out identity crimes against them. That’s no longer the case. When the ITRC researchers were analyzing information from the publicly reported data compromises in 2021, they found that a shift had occurred.

“The personal information of consumers remained valuable to cybercriminals, but individuals were not the primary target for most identity crimes committed in 2021,” said Eva C. Velasquez, president and CEO of ITRC. “Instead, consumer information was often the means to the end of attacking businesses through stolen credentials — logins and passwords — or social engineering where savvy cybercriminals tricked people into revealing information needed to launch an attack.”

In addition, the researchers found that most identity crimes were fueled by consumer information stolen from businesses in data breaches. In other words, cybercriminals stole consumer data from companies so they could get the information and credentials needed to perform more attacks against companies.

3. Ransomware Became a Common Attack Vector

For the past two years, security experts have been warning companies about a troubling trend: Ransomware gangs are increasingly stealing data before encrypting it. The ITRC researchers’ findings confirm that this trend is indeed occurring.

When the researchers analyzed the 1,862 data compromises that occurred in 2021, they found that:

• 87% were caused by cyberattacks
• 10% were due to human and system errors (e.g., lost devices, misconfigurations,)
• 3% were the result of physical attacks (e.g., stolen devices, document theft)

Digging deeper, the researchers discovered that the top two types of cyberattacks used were phishing (33%) and ransomware (22%). This doesn’t seem too noteworthy until you put it into perspective. Just two years ago, phishing was used a lot more (53%) and ransomware a lot less (9%). “At the current growth rate, ransomware attacks will pass phishing as the number one root cause of data compromises in 2022,” according to the “2021 in Review – Annual Data Breach Report.”

1156955640 flickr photo by Fort George G. Meade shared under a Creative Commons (BY) license