In January, the Identity Theft Resource Center® (ITRC) released its 16th Annual Data Breach Report, marking a shift from the era of identity theft to a new age of identity fraud.
“We may very well look back at 2021 as the milestone year when we officially moved from the era of identity theft to an era of identity fraud. That is to say, the time when cybercriminals shifted from mass data accumulation (identity theft) to mass data misuse (identity fraud). Fueling most identity fraud-related crimes was consumer information stolen from businesses in data breaches.” Eva Velasquez, President & CEO, ITRC
Personal information of consumers remained valuable to cybercriminals in 2021, but instead of consumer information being the prime target, it was more often the means used to attack businesses through stolen credentials – logins and passwords – or social engineering, where savvy cybercriminals tricked people into revealing information needed to launch an attack. The result is a significant increase in data compromises, which ultimately lead to a record number of cyberattacks.
In 2021, more data compromises were reported in the U.S. since the data breach notice law came into effect in 2003. In fact, there were 1,862 data compromises reported in 2021, up 68% over 2020, and 23% over the previous all-time high (1,506) set in 2017. Other findings in ITRC’s 2021 Annual Data Breach Report include:
- There were more cyberattack–related data compromises (1,613) in 2021 than all data compromises in 2020 (1,108).
- Ransomware-related data breaches have doubled in each of the past two years. At the current growth rate, ransomware attacks will pass phishing as the number one root cause of data compromises in 2022.
- The number of data breach notices that do not reveal the root cause of a compromise (607) has grown by more than 190% since 2020.
- As identity criminals focus more on specific data types rather than mass data acquisition, the number of victims continues to drift downward – ~5% in 2021 compared to the previous year. The number of consumers whose data is compromised multiple times per year, though, remains excessively high.
Compromises increased year-over-year in every sector but one – military, where there were no data breaches publicly disclosed. The Manufacturing & Utilities sector saw the largest percentage increase in data compromises at 217% over 2020.
Of all data compromised in 2021, cyberattacks were the root cause, with 1,613 breaches/exposures.Phishing topped the list of cyberattacks with a whopping 537, followed by ransomware (350) and malware, (139) – proving that stolen consumer data is the first crucial step to a successful hack for criminals.
In their report, ITRC mentions a case study on Robinhood, emphasizing the impact of social engineering in breaches. In this case, ransomware operators manipulated a Robinhood customer service representative into giving a criminal access to the investment platform’s customer support system. Over 7 million account holders were impacted. That data breach was the biggest of 2017, yet just one of many of the largest breaches in history that resulted from stolen consumer data.
There are notable trends that hinder post-breach damage control. The ITRC reports that transparency in breach notices is decreasing. For example, in 2020, there were 207 consumer breach notices that were missing important details and nearly tripled to 607 notices in 2021. This lack of information prevents consumers from effectively judging the risks they face as well as taking the appropriate actions to protect themselves. Additionally, a decrease in timely breach notices posted by states result in further delays by consumers as well as organizations that assist identity crime victims.
Breach notice effectiveness is also at a low. In 2021, of the 72% of consumers who were aware of a breach notice, only 48% changed their passwords on the impacted account, while 16 percent took no action at all.
Some states have developed their own privacy laws to protect their residents, however each state has different standards on how personal information is defined and how a victim is notified. That means residents of one state may get a data breach notice when a resident across the border in a neighboring state may not receive an alert for the same data breach.
“To be sure, consumers are still at risk and there are still cybercriminals looking to separate trusting people from their resources. But the vast majority of data compromises that occur today represent highly sophisticated, highly complex cyberattacks that require aggressive defenses to prevent. If those defenses fail, we too often see a level of transparency that is inadequate for consumers to protect themselves from identity fraud.”
Protect Your Business from Data Compromise
The ITRC helps ensure more consumers learn when their personal information is at risk due to a data compromise, but organizations also need to be proactive in protecting their consumers, and themselves, from a breach – not only by protecting consumer data but devaluing it.
Best practices for organizations include implementing security solutions that encrypt, protect and secure consumer data. Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) solutions devalue the data, encrypting credit and debit card information at the Point of Interaction (POI) in a P2PE device, and preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach. Our ShieldConex® data security platform complements P2PE at the point-of-sale by tokenizing any PHI, PII or payment data entered into online forms. Together, Bluefin’s security solutions provide the most holistic approach to protecting organizations’ data. Contact us to learn more.