Warning about supply chain attacks is becoming an old refrain, but the new annual report from the Identity Theft Resource Center (ITRC) makes clear that data breaches are a growing problem and that weak third party links are a major driver of the issue.
Another emerging contributor is a focus on zero days, the deployment of which surged in 2023 to a level never previously seen. The ITRC has been tracking data breaches for nearly two decades now and has never seen a year as bad as 2023 before, with 72% more than the previous record year’s total.
More data breaches than ever, even as victim count declines
The worst prior year on record was 2021, which saw 1,860 data breaches in total. There was actually a very small dip in 2022, as the count dropped to 1,806. Those numbers were blown out of the water by 2023’s count of 3,205 total breaches, an increase of 78% from the previous year.
Strangely enough, the victim count dropped by about 16% from 2022. But the ITRC thinks that this is due to the leading ransomware and data extortion gangs becoming more skilled and surgical in their approaches and target selection, rather than any indicator of a potential drop in activity.
The victim count is also usually driven by a small handful of extremely big data breaches. 2023 saw some sizable individual incidents, but not as big (in terms of record count per event) as in prior years. T-Mobile’s early 2023 API scraping incident was the biggest, with contact information from some 37 million customer profiles leaked. Comcast’s Xfinity telephony, TV and internet service also had a breach of about 35 million records.
Contrary to what the victim count might indicate, the ITRC anticipates that data breaches will likely grow again in 2024. Though law enforcement activity against the biggest gangs has ramped up, it is difficult to put them out of business for good without making arrests (generally difficult as the chief operators are usually in Russia). Criminals are also quickly adapting AI tools for the purposes of cyber attacks and enhancing their scam messages.
Zero days no longer just for state-backed espionage
The boost in supply chain attacks leading to data breaches is not a new trend. ITRC finds that since 2018, these attacks have increased by 2,600%. For every well-defended large enterprise, there are usually dozens to hundreds of contractors who represent a more poorly defended entry point.
There are some new trends in the industries that are being targeted. Health care data breaches leapt ahead of those at financial firms in 2023, and transportation businesses are seeing very rapid growth in attack attempts.
Though data breaches are now more common than ever, it is less common for companies to be forthright in their public notifications. Nearly half omitted information in 2023, sticking strictly to whatever they were legally required to reveal.