The latest report from the Identity Theft Resource Center (ITRC) revealed a shocking 78% increase in reported data compromises in the US in 2023 compared to 2022, reaching a total of 3205 incidents. These breaches impacted a staggering 353,027,892 victims, although this number represents a 16% decrease compared to the previous year.
One notable trend highlighted in the report is the shift in tactics by organized identity criminals, who are now focusing on specific information and identity-related fraud and scams rather than mass attacks. This shift has led to a decrease in the overall number of victims each year.
The ITRC’s 2023 Annual Data Breach Report also uncovered several key findings about the nature and impact of these data compromises:
– Nearly 11% of all publicly traded companies experienced data breaches in 2023.
– Publicly traded companies were less likely to disclose information about an attack, with 47% withholding information compared to 46% of other organizations.
– The healthcare, financial services, and transportation industries reported more than double the number of compromises compared to 2022, with utilities companies leading in the estimated number of victims in 2023.
– Supply chain attacks have had a significant impact, with the number of affected organizations surging by more than 2600 percentage points since 2018 and the estimated number of victims rising by 1400 percentage points.
In a letter published in the report, ITRC’s CEO, Eva Valasquez, expressed the overwhelming scale of the 2023 data compromises, highlighting that the increase from the previous record high to 2023’s number is larger than the annual number of events from 2005 until 2020 (except for 2017).
The majority of data compromises were linked to cyber-attacks, with the report noting that phishing-related and ransomware attacks were down slightly, while malware and Zero Day attacks increased significantly compared to previous years.
An alarming trend identified in the report is the significant increase in the number of data breach notices that lacked specific information about the attack. In 2023, over 1400 public breach notices did not contain details about the attack vector, compared to 716 in 2022. This is particularly concerning given the rise in organizations targeted by supply chain attacks.
The ITRC highlighted a flaw in data breach notice laws, emphasizing the gap between organizations that lose data and those who notify victims. To address these issues, the ITRC outlined three areas for action to reduce the rate and impact of data breaches on individuals and businesses:
1. Uniform breach notice laws: The ITRC called for state data breach laws and federal agency regulations to adopt uniform provisions to better assist victims.
2. Digital credentials and facial comparison systems: The expanded use of facial verification and digital credentials was identified as crucial in reducing identity crimes involving stolen personal information.
3. Improving vendor due diligence: Understanding the risk represented by vendors, including knowing the breach history of an organization, is imperative in preventing data compromises.
The 2023 Annual Data Breach Report also introduced the ITRC’s new Breach Alert for Business (BA4B) service, designed to help organizations verify if vendors are meeting or exceeding cybersecurity policies and performance. This service confirms vendors’ previous data breaches and issues alerts if a vendor is the subject of future compromises.
The report serves as a critical reminder of the ongoing threat posed by data breaches and the urgent need for concerted efforts to protect individuals and businesses from the damaging impact of these incidents.