Leaky COVID-19 Portals Add Complexity to a Record Data Breach Landscape
Data Breaches Have Never Been More Common & Bad Government Tech Isn’t Helping
Data security has grown more complex than ever thanks to additional pressures that spawned from the global pandemic. A nasty combination of uncertainty, economic pressure, technology evolution and the trend toward remote work has brewed up the perfect atmosphere for cyberattacks, and bad actors aren’t wasting any opportunities to profit from it. Now another data security threat is emerging to complicate the problem: leaky COVID-19 portals.
Your company’s top security risk is already inside the building. Learn how to fix it with The Guide to Reducing Insider Risk. GET IT>>
Cybercriminals Are Hungry for Sensitive Data
2021 was the busiest year on record for data breaches. It easily exceeded 2017’s previous record according to an analysis of the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States by Spirion. Researchers determined that ITRC data revealed that Social Security numbers were the most common data targeted during sensitive data breaches last year, but a few other big categories also emerged. Altogether, analysts determined that a total of 1,862 data compromises were reported by US organizations in 2021. That’s a whopping 68% increase over 2020’s disturbing numbers.
Most Commonly Targeted Sensitive Data in 2021 Breaches
Type of Data | Appearance in Total Breaches |
Social Security number | 65% |
Personal health information | 41% |
Bank account information | 23% |
Driver’s license | 23% |
Credit/debit card details | 12% |
Email/password credentials | 10% |
A strong security culture reduces your company’s chance of a data breach. This checklist helps you build it. GET IT>>
How 2021’s Record-Breaking Amount of Sensitive Data Breaches Happened
It’s overwhelmingly obvious that external actors are to blame for most sensitive data breaches. 93% of all of the sensitive data breaches in this study were caused by external actors. That’s a departure from the conventional wisdom about who or what is responsible for data breaches. Typically, internal actors are responsible for just under 35% of data breaches. But when it comes to sensitive data that percentage drops dramatically. Internal actors were responsible for just 7% of sensitive data compromises. Those compromises endangered 878,556 people’s PII. Most internal data breaches of sensitive data happened through that expected data breach culprit, human error. Analysts cited mistakes in email correspondence and misconfigured cloud security or firewalls as catalysts.
That means that bad actors were very busy stealing sensitive data in 2021. They primarily gained access to sensitive personal data last year through targeted cyberattacks. The cause of 1,440 cyberattacks in this report, targeted cyberattacks made up 89% of data breaches that could be attributed to external actors. Through those attacks, cybercriminals snatched up the personal information of 148 million people. Through a variety of attack vectors.
Attack Vectors Used in Targeted Cyberattacks
Attack Vector | % of Sensitive Data Incidents | People Impacted |
Third-party/supply chain vulnerabilities | 25% | 6.9 million |
Phishing/smishing/business email correspondence | 23% | 4.8 million |
Ransomware | 17% | 14 million |
Malware | 8% | 2.5 million |
Cybercriminals were also smart about where they went shopping for data, focusing their efforts on organizations that were highly likely to be holding on to large quantities of valuable personal and financial data. The vast majority of data breaches that gave the bad guys access to sensitive data were concentrated in three industries.
Industries with the Most Sensitive Data Breaches in 2021
Number of Incidents | People Impacted | % of Yearly Total | |
Professional and business services | 157 | 52 million | 35% |
Healthcare | 447 | 24.8 million | 17% |
Telecommunications | 8 | 47.8 million | 32% |
Learn 5 red flags that could indicate a malicious insider is at work in your organization! DOWNLOAD INFOGRAPHIC>>
Government Technology Fails Are a Boon for the Bad Guys
In 2022, government agencies aren’t helping the cause. By and large, they’re a mess. Leaky portals with bad security or misconfiguration issues are exposing sensitive data left and right, to the detriment of average citizens. A series of snafus with pandemic-related portals, vaccine passports, reporting tools and QR codes has led to some major data exposures in just a few months.
- In February 2022, Washington, DC.’s Digital Vaccine Portal, a COVID-19 vaccination repotting tool, had to be shut down less than a month after opening over data exposures. Specifically, the portal was giving users the wrong vaccination records, giving them access to other people’s vaccination records.
- Also in February 2022, the government of New South Wales, Australia was in hot water after exposing a massive quantity of potentially sensitive data through a COVID-safe registry. The registry was open to all businesses and could be accessed through a QR code. Details of more than 500,000 organizations including national defense sites, a missile maintenance unit and several sensitive locations like domestic violence shelters were made public in that data trove.
- The Kings County Public Health department disclosed that it had potentially exposed the sensitive medical information of citizens. A security flaw in its public webserver made limited information on COVID-19 cases readily available on the internet between February 15, 2021, and December 6, 2021.
Digital vaccine credentials are a hot-button issue in the US, and a great deal of the controversy surrounding them can be chalked up to privacy concerns. Unlike many issues related to the pandemic, this one isn’t strictly partisan, although legislative or executive action on the subject is more likely to hew to partisan lines. State governments have been grappling with the issue, resulting in a low adoption of digital vaccine credentials amid technical problems and privacy concerns. Only 10 states including New York, New Jersey, Utah, California, Hawaii, Colorado and Louisiana have implemented digital vaccine credentials, and those states have faced significant challenges. Governors and lawmakers in 20 typically red states have chosen to limit or ban digital vaccine passports, citing privacy as a major concern.
Be the hero that defeats a company’s security threats to declare victory over cybercriminals! GET THE GUIDE>>
Other Notable Findings About Data Privacy Today Aren’t Encouraging
If you were expecting any good news about the data breach landscape, you’re going to be disappointed after exploring the other findings that analysts reported. As we previously reported, the 2022 data security outlook is not good. These contributing factors aren’t helping the cause.
The sensitive data breach lifecycle is growing. The average sensitive data breach in 2021 had a lifecycle that was twice as long as an equivalent non-sensitive data breach. From start to finish, the average sensitive data breach took 112 days to resolve, while the same sort of non-sensitive data breach took about half that time at only 52 days.
Data breaches caused by internal actors take twice as long to detect. Analysts determined that data breaches that could be attributed to human error, the most common cause of an internal data breach, took 207 days to detect and contain. But if that data breach was caused by external bad actors, it was much easier for a company to spot it. External attacks that led to a sensitive data breach had an average lifecycle of 75 days.
Attack vectors are in flux. Shifting attack vectors are making it harder to figure out which direction the next threat might be coming from. A few safe bets did emerge. Researchers determined that the 93 third-party or supply chain-related attacks impacted 559 organizations, exposing more than 1.1 billion data records. More than 80% of those incidents involved sensitive data, ultimately resulting in the exposure of PII for 7.2 million people. To no one’s surprise, the healthcare industry was impacted by 53% all supply chain attacks in 2021. Healthcare has been a particularly beleaguered sector since the start of the global pandemic.
Repeated breaches at the same organization are likely. Once isn’t enough; the bad guys are going for the same target multiple times a year. Researchers noted that more than two dozen organizations in the dataset experienced multiple data breaches in 2021. Aetna ACE’s three data incidents and LinkedIn’s two massive data leaks were cited. Those incidents exposed data on 1.2 billion people. One conclusion is that increasing levels of remote work have led to increasing levels of cybercrime, putting greater amounts of data at risk than ever before. It’s also worth noting here that the explosion of ransomware in 2021 may have been a contributing factor. Over 80% of organizations that experience a ransomware attack and pay the ransom are hit with a second attack.
Go deep into the cybercrime underworld in “Hacker Hotbeds and Malicious Marketplaces” WATCH THIS WEBINAR>>
Strong Security Now Saves Headaches Later
All told, sensitive data breaches impacted 84% of people in 2021 leaving a lot of employees and their companies exposed to elevated cyberattack risk. With such a huge number of people impacted, companies need to make it a priority to reduce their risk of cybersecurity trouble from employee data exposure. Putting the right defenses in place to be proactive about risk helps companies avoid expensive disasters.
Dark Web ID
- 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
- Dark web search uncovers your company’s compromised credentials in dark web markets, data dumps and other sources in minutes
- Automated reporting streamlines operations and alerts you to trouble fast, giving you the advantage to act before cybercriminals do.
BullPhish ID
- Now available as a stand-alone solution!
- Gain access to a content library stuffed full of training videos about security and compliance.
- New content is added monthly to keep employee training up to date.
- Simple, clear reporting makes it easy to demonstrate the value of training.
Get ready to pack your bags for Connect IT 2022! Join us June 20-23 in Las Vegas for the industry’s premier event! REGISTER NOW>>