The National Cybersecurity Alliance held their second annual Data Privacy Week January 24-28, 2023, with the goal of spreading awareness about online privacy among individuals and organizations.
According to the Pew Research Center, 79% of U.S. adults report being concerned about the way their data is being used by companies. By being open about how you use data and respecting privacy, you can stand out from your competition (National Cybersecurity Alliance).
Likewise the Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization created to support a victim of identity crime, appropriately timed the release of their Annual Data Breach Report- available for download – revealing the following key findings:
- The number of victims impacted reached 422.1 million in 2022, an increase of 41.5 percent from 2021
- The number of data compromises in 2022 totaled 1,802, 60 events short of 2021’s all-time high of 1,862
- For the third year in a row, healthcare is still the prime target for hackers. Healthcare represented 19 percent of all breaches in 2022- up from 15 percent in 2021- affecting 344 organizations
- Industries topping the list of most targeted include Financial Services (268), Manufacturing and Utilities (249), and Professional Services (224)
- Cyberattacks continued to be criminals’ attack vector with 1,595 breaches in 2022, a slight decrease from 1,613 in 2021
- “Not specified” was the largest category of cyberattacks leading to a data breach in 2022, ahead of Phishing and Ransomware
- Supply chain attacks surpassed the number of malware-based attacks by nearly 40 percent, with 115 attacks affecting 1,743 organizations and over 10 million people
Determining Data Breach Risk – The Burden that is Fueling an Epidemic
The key number to remember in this year’s breach report is 34 percent, which is the lowest percentage of breach notices that provided victim and attack details in the last five years – dropping 50% since 2019. This number is significant because it means that for two-thirds of the reported breaches, valuable information that would help to determine the risk to the compromised data was missing.
The trickle-down effect of this is disastrous, explains ITRC. Breached organizations – as well as the government- do not have the data they need to make informed decisions about the risk surrounding a data compromise, nor can they provide the appropriate steps to take in its aftermath.
Additionally, state notification laws, which are often antiquated and vary by state, put the burden of determining the risk on the organization that was breached. Without adequate information, an organization is not able to determine the risk of a breach. And, if the determination is there is no risk, then in all states, there is no notice made of a data breach.
Common sense tells us that data breaches are underreported in the United States. The 1,802 reported here are a minimum estimate. The trends related to publicly reported data breaches in 2022 reinforce the conclusion that the data breach environment is worse than we know and can be proven with quantifiable data. The result is individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic – a “scamdemic” – of identity fraud committed with stolen or compromised information (Eva Velasquez, ITRC CEO).
The unknown will continue to be troubling, but organizations like the National Cybersecurity Alliance and the ITRC hope to bring clarity to the impacts of data compromises and the best strategies to prevent them. During Data Privacy Week 2023, the ITRC revealed additional details on their notified Business data breach alert service – the most comprehensive library of publicly reported data breaches within the U.S.
Strategies for Data and Payment Protection
If lack of information surrounding data compromises continues, it will be difficult for organizations to defend themselves against cyberattacks. Instead of defending a network that hackers can breach, many cybersecurity experts believe that devaluing important data is the better approach to securing personal and payment data.
Point-to-point encryption and tokenization technologies encrypt valuable payment and personal data, rendering it useless to cyberthieves in the event of a data breach.
Bluefin is the recognized leader in encryption and tokenization technologies to secure payment and sensitive data upon intake, in transit, and in storage – offering PCI-validated point-to-point encryption for contactless face-to-face, mobile, unattended, and call center payments, and ShieldConex, a data security platform for the tokenization and encryption of card payment and ACH account data online.