Please fill in the form below to subscribe to our blog

Categories

Tags

Australia BullPhishID BullPhish ID Canada commercial credential stuffing cyberattack cybercrime cybersecurity Dark Web dark web credential loss Dark Web ID dark web monitoring dark web threat Data Breach Data Breach Alerts data compromised data loss prevention data theft France hacking healthcare insider threats Japan MSPs MSP Solutions MSP Space nation-state hackers Passly passwords phishing phishing resistance phishing resistance training ransomware remote working retail security security awareness training SMB cybersecurity stolen credentials supply chain risk The Week in Breach third party risk United Kingdom United States

Data Breaches Set a New Record — Up 78%

March 25, 2024

Bolster data security now before you become part of the trend

With each passing year, we see brand new innovations in technology that help us make the most of our digital outlets, whether in a professional, financial or recreational capacity. However, it’s important to keep in mind that the more dependent we become on technology, the more we leave ourselves open to the ever-growing threat of cybercrime. One would assume that cybersecurity, by the end of 2023, would empower organizations and individuals to roam about their digital avenues freely without having to worry too much about bad actors. Unfortunately, according to the Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report, the past year brought about a somber realization that cybercriminals have grown more relentless than ever. 

What should you be looking for in an EDR solution? This checklist helps you make a smart choice! GET IT>>

Data compromises set a new record

The year 2023 witnessed an incredibly steep uptick in the number of publicly reported data compromises that impacted over 300 million individuals across the globe. The table below provides a clear depiction of the number of compromises and victims compared to 2021 and 2022, which goes to show just how the world of cybercrime has evolved in terms of aggression and sophistication. The year 2023 also marked the highest number of annual data events reported in the U.S. — a 78% increase as compared to the year before. 

The latest data compromise trends and statistics 

2021 1,860 300,607,163 
2022 1,801 425,212,090 
2023 3,205 353,027,892 

Source: ITRC 2023 Data Breach Report

The pace of data compromises is not slowing down, with what looks to be another banner year ahead. In the first three months of 2024, ITRC recorded 841 publicly reported data compromises – up 90% over Q1 2023. This makes it imperative for businesses to take a hard look at their defenses. Organizations must take proactive steps to avoid joining the list of victims in 2024.

Learn to defend against today’s sophisticated email-based cyberattacks DOWNLOAD EBOOK>>

Human/system errors and email-based attacks are the top attack vectors of 2023

Besides system and human errors, email-based attacks, like phishing, smishing and BEC attacks, have devastated industries worldwide in 2023. These cunning cyber threats prey on human vulnerabilities, leveraging deceptive emails and messages to manipulate victims into revealing sensitive information or transferring funds. With every new connection established within, or to, an organization’s IT architecture, the chances of its attack surface increasing are high. Listed below are some of the biggest attack vectors of 2023 that resulted in 2,365 publicly disclosed cyberattacks. Here’s a quick look at the top five attack vectors of 2023. 

The Top 5 Attack Vectors of 2023

Type of attack vector Number of compromises 
System and human errors 739 
Phishing/Smishing/BEC 438 
Ransomware 246 
Malware 118 
Zero-day vulnerabilities 110 

Source: ITRC 2023 Data Breach Report

Affordable, automated penetration testing is a game-changer. Learn about it in our buyer’s guide! GET GUIDE>>

A company’s employees are also at risk of data exposure

These two breaches serve as prime examples of how one cyberattack can lead to widespread data exposure for a company’s employees as well as consumers.

Zellis ransomware exploit (UK)  

  • Zellis, a payroll company, fell victim to a data breach due to the MOVEit exploit — a zero-day vulnerability widely used in file transfer software. 
  • The CL0P ransomware group exploited this vulnerability throughout 2023, affecting over 2,000 organizations and more than 60 million people. 
  • Companies like British Airways, Boots and the BBC faced exposure of employee data, including national insurance numbers, salaries and contact details. 

Dish Network ransomware attack (U.S.)  

  • Dish Network, a major U.S. satellite television provider, suffered a massive service outage and data theft due to a ransomware attack. 
  • Nearly 300,000 individuals’ personal details were stolen during the attack, causing customer frustration and impacting services. 
  • Employees, former employees and their families had their personal data snatched.

These incidents express the dire need for robust security measures, user education and vigilance in the face of evolving cyberthreats. Stay alert and remember that seemingly innocuous emails might harbor a dangerous payload. 

Every business faces insider risk, from employee mistakes to malicious acts. Learn how to mitigate it. DOWNLOAD EBOOK>>

Supply chain attacks are surging

Supply chain attacks, also called third-party vendor attacks, occur when hackers exploit a common vulnerability in an organization’s IT infrastructure, usually through phishing, ransomware or malware. These attacks are distinguished by their focus on stealing data not from the attacked organization itself but from its clients, customers or partners in the supply chain. 

It’s an effective way to leverage smaller businesses that offer services to larger organizations with better cybersecurity protocols as a backdoor. Bad actors now, with much less effort, gain access to data from multiple businesses by breaching just one organization or by exploiting weaknesses in a product or service used across various companies. 

There were 242 supply chain attacks in 2023, with 2,769 entities affected. The MOVEit hack is considered to be one of the largest third-party vendor attacks to date and holds the top position as the most devastating supply chain attack in 2023. The incident stands as a testament to just how much damage cybercriminals can inflict through such attacks and emphasizes the need for more robust vulnerability management solutions. 

a red fish hook on dark blue semitransparent background superimposed over an image of a caucasian man's hands typing on a laptop in shades of blue gray

Learn how to spot today’s most dangerous cyberattack & get defensive tips in Phishing 101 GET EBOOK>>

The Capita data breach impacted 90 organizations

The Capita breach is a good example of many organizations having sensitive data stolen from a cyberattack on a service provider. On March 30, 2023, U.K. business services giant Capita fell victim to a ransomware attack perpetrated by the BlackBasta ransomware group. Several pension plans that utilized Capita’s Hartlink online portal were impacted including The Universities Superannuation Scheme (USS), the U.K.’s largest private pension provider. This resulted in a ripple effect of data exposure for Capita’s clients and a major financial loss for Capita

  • More than 90 organizations had data exposed.
  • The cyberattack was the main contributor to an annual loss of over $100 million.
  • An estimated 470,000 active, deferred and retired members of USS had their personal data exposed.

Is building an in-house SOC a smart move? Our whitepaper breaks down the costs. READ IT>>

The shortcomings of data breach notice laws 

Starting in late 2021, the ITRC observed a notable decrease in data breach notifications containing useful information. This trend of less transparent breach notifications has persisted even as the number of public breach announcements has increased, posing greater risks of identity misuse for both individuals and businesses. Over the last few years, there has been much debate over whether mandatory breach notification laws would encourage organizations to strengthen their security measures. The decision to issue a breach notification is generally in the hands of the affected organization. If they deem the risks to their customers, stakeholders or employees to be negligible, no notification is issued. However, many organizations place a heavy emphasis on minimizing news of a breach to minimize the financial impact and loss of reputation they face afterward.

This conundrum is further complicated by the sudden growth of supply chain attacks. The decision-making process regarding the assessment of risk to the victims and victim notification can be muddied. This is because the data compromised does not necessarily belong to the initially breached entity. The fact that a company’s data was stolen through no fault of their own tempts large companies to brush the data loss under the rug to avoid bad publicity and headaches, hoping that consumers just won’t find out about a data breach at a less well-known business service provider.

What cybercriminal tricks do employees fall for in phishing simulations? Find out in this infographic. GET IT>>

Few companies released data breach notices in the Blackbaud breach

The ITRC highlights the 2020 attack on Blackbaud, a cloud computing provider serving various sectors, to perfectly explain this flaw in data breach notice laws. Despite compromising information that they handled for a significant portion of their clients, Blackbaud only informed a fraction of them, as per a settlement with 49 state attorneys general in late 2023. This discrepancy highlights the ineffectiveness of current breach notification laws in safeguarding the interests of businesses and the public. 

  • Out of the 13,000 affected Blackbaud clients, merely 604 issued public breach notices, covering an estimated 12.8 million individuals.
  • The U.S. Federal Trade Commission (FTC) ultimately decided that BlackBaud’s lax security was the problem after discovering that the company permitted dangerous practices like storing Social Security numbers and bank account information in unencrypted fields.
  • Blackbaud ended up agreeing to pay almost $50 million in a settlement after reaching an agreement with 50 States’ Attorneys.
an ominously dark image of a hacker in a blue grey hoodie with the face obscured.

Explore the nuts and bolts of ransomware and see how a business falls victim to an attack. GET EBOOK>>

New cyber risks loom large as data breach notifications lag

The rise of generative AI tools, like large language models (LLMs), adds a new dimension to the cyber threat landscape. IRTC also reported an uptick in dangerous vectors like zero-day attacks and new malware. Cybercriminals are making the most of these new tools to create new, hard-to-detect phishing messages and previously unknown malware, upping the danger that an employee will fall for a cybercriminals trap and unleash a damaging cyberattack that ends in an expensive data breach.

In 2023, the U.S. saw an average of roughly 12 data breaches per business day while the E.U. reported an average of 912 daily compromises in 2022. But even finding out that their data has been stolen is a daunting task for the people who are the victims of those breaches. The complex landscape of differing state laws and expanding federal regulations combined with innovative cyberattacks complicates and increases the cost of compliance for businesses. Notifications about breaches, often lacking actionable information, are not consistently received by individual victims or businesses at risk of similar attacks. The criteria for breach notifications, their delivery method, content, timing and non-compliance penalties vary greatly. 

Follow the path to see how Managed SOC heroically defends businesses from cyberattacks. GET INFOGRAPHIC>>

New data breach regulations are needed to keep victims informed

The ITRC, in its effort to propagate more resilient cybersecurity practices, suggests the following solutions to help infosec authorities and organizations the world over improve their security strategies for more privacy and business continuity. 

Uniform breach notice laws 

Here are a few examples of how uniform breach notification laws, adopted by state and federal agencies, can help better help organizations: 

Uniform definition of personally identifiable information (PII) that triggers a notice 

Solidifying definitions of regulated data types could help ensure that consumers can more easily understand data breach notices and businesses will face stricter reporting requirements. ITRC suggests:

  • Breach notices should be filed within 24 hours of any breach with their respective authorities. 
  • Government agencies and breached entities should work together to determine the potential damage an individual could suffer due to the compromised information. 
  • Negligence or willful misconduct should not be tolerated. 
  • Should the disclosure of details about a data breach pose a risk to national security or be linked to terrorism, the leading official of the state agency, after consulting with relevant U.S. government agencies, needs to report it to federal authorities within 30 days. 

Learn about the challenges that MSPs face in 2024 in Datto’s State of the MSP 2024 Report. GET YOUR COPY>>

Implement digital credentials and facial recognition systems 

In November 2023, the ITRC emphasized the importance of evolving identity verification methods to combat identity theft effectively. Let’s take a look at some of the insights from their analysis. 

  • The surge in fraudulent claims for pandemic relief highlighted the inadequacy of traditional identity verification processes against sophisticated criminal tactics. 
  • Recognizing data’s limitations for identity verification, the ITRC advocates for the expanded use of facial verification and digital credentials to counteract identity theft. 
  • Traditional verification relies on what you know (e.g., SSN) and have (e.g., driver’s license). The ITRC suggests adding a biometric element, “something you are,” like a facial photo, to enhance security. 
  • Facial verification, a consent-based process comparing a person’s photo with their ID, differs from facial recognition used in surveillance, offering a privacy-respecting and secure verification method. 
  • Biometric verification, including facial recognition, provides a secure, fair way to verify identities, lowering the value of stolen personal information for criminals. 
  • The use of biometrics is particularly beneficial for individuals with limited or no credit history, offering a more inclusive approach to online identity verification. 
  • The adoption of mobile driver’s licenses (mDLs) could further secure personal information, with real-time verification ensuring the authenticity of the holder’s identity and reducing the utility of stolen data. 
IDA-CL-Top-5-Cyberthreats-Schools-Face_Resource

Learn about the top cyber threats K-12 schools face and how to mitigate them. DOWNLOAD INFOGRAPHIC>>

Emphasize third-party vendor due diligence 

Several states across the nation have implemented comprehensive privacy legislation, incorporating cyber-risk assessments to enhance data privacy and protection. Here’s a summary of some of those developments: 

  • Almost a dozen states have enacted comprehensive privacy laws that include cyber-risk assessments to evaluate and mitigate the risks associated with data breaches. 
  • State and federal regulatory bodies now mandate that organizations must implement cybersecurity measures proportional to the potential harm a data breach could cause to individuals. 
  • In states like California and New York, laws stipulate that organizations must ensure their vendors — and even the vendors’ suppliers — adhere to data and security standards that are at least as stringent as those of the primary organization. 
  • Compliance with these regulations requires regular audits to ensure ongoing adherence to the established criteria. 
  • New York has taken additional steps by mandating that the primary organization issue a data breach notification, even if the breach occurs at an affiliate or vendor level, emphasizing the responsibility of the main entity in protecting consumer data. 

The surge to a new record high in data breaches during 2023 underscores an urgent call to action for individuals, corporations and governments alike. The stark rise in incidents not only highlights the increasingly sophisticated tactics of cybercriminals but also emphasizes the critical vulnerabilities in our current digital defense mechanisms. As we navigate through this era of unprecedented digital expansion, it becomes imperative to invest in robust cybersecurity measures, foster a culture of constant vigilance, and prioritize the development of more resilient infrastructures. Moreover, this trend signals the necessity for stronger regulatory frameworks and collaborative efforts to safeguard sensitive information. Ultimately, addressing this challenge requires a comprehensive and proactive approach, aiming not just to respond to breaches but to anticipate and prevent them, thereby securing a safer digital future for all.

See why EDR is the perfect investment to make in your future right now in our buyer’s guide. DOWNLOAD IT>>

Rely on Kaseya’s Security Suite to keep data & systems safe

Kaseya’s Security Suite has the tools that IT professionals need to mitigate cyber risk effectively and affordably, featuring automated and AI-driven features that make IT professionals’ lives easier.  

BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.     

Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.    

Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.      

RocketCyber Managed SOC — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud. 

Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).      

Vonahi Penetration Testing – How sturdy are your cyber defenses? Do you have dangerous vulnerabilities? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.   

Learn more about our security products, or better yet, take the next step and book a demo today!

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

LEARN MORE>>

Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!

SCHEDULE IT NOW>>