Unlocked virtual padlock showing data breaches

Identity Theft Resource Center: 2023 Worst Year on Record for Number of Data Breaches

2023 was the worst year yet for occurrences of data breaches, according to a new annual report published by the Identity Theft Resource Center (ITRC). A record for total amount of compromises was set last year, up 78% from 2022 and up 72% from the previous record set in 2021.

The report pokes a hole in hopes that cyber crime activity might calm from the highs it reached in the post-pandemic period. The total number of victims decreased by 16%, but researchers attribute that to cyber criminals becoming more polished in their work and focused on specific targets and types of information.

Data breaches way up, zero days see major gains

The ITRC’s 2023 Annual Data Breach Report is the 18th edition of the study, and the 3,205 data breaches recorded last year shatters the prior record of 1,860 and is a 78% increase from a similar number (1,806) seen in 2022.

There are some notable trends among 2023’s data. Supply chain attacks are seeing a spike in popularity, and this is part of an upward trend that has been in place since 2018. These attacks have increased by 2,600% in six years and the total victim count is up by 1,400% in that time.

Financial services also continue to be a highly popular target, but the industry has now been topped by attacks on healthcare providers. Healthcare is increasingly a focus for cyber criminals given the amount of valuable data that can be found packed into one place. However, the industry with the highest count of total victims is utilities, and the transportation sector is the fastest riser with over two times as many data breaches as it had in 2022.

And despite a major increase in incidents, public notices of data breaches are now almost twice as likely to not contain information about the attack vector. Publicly traded companies are also slightly more likely to withhold information about data breaches as their counterparts, but in both cases nearly half of breached organizations were not entirely forthcoming about their incidents.

Zero day attacks also saw a major spike in 2023, with ransomware and phishing actually declining slightly despite the major increase in overall data breaches. Cyber attacks continue to lead both the breach and victim counts by far, with the “system and human error” category (such as exposure via a misconfigured database) in a very distant second place. ITRC COO James E. Lee noted that the jump in zero day attacks was relatively massive; in prior years there are generally only one to four connected with data breaches, shooting all the way up to 110 in 2023.

About the only recorded number that did go down in 2023 was the total victim count, plummeting from about 425 million to about 353 million. This was attributed to general increased organization and professionalism among cyber criminal gangs, however, both in the specific information they target and in their selectiveness in attempting identity-related scams.

Communications and research companies experienced biggest data breaches of 2023

Of the top five largest data breaches of 2023, two were of communications/telephony companies and two involved research services that hold huge amounts of data on people.

The biggest record count of the year belongs to T-Mobile, which actually experienced three separate data breaches on the year. However, the largest of these was the first, a January incident involving 37 million exposed customer profiles via API abuse. Comcast’s Xfinity service experienced a breach late in the year that was almost as big, including private profile information for nearly all of its active customers.

The #3 and #5 positions involved research and personal information verification outfits. PeopleConnect, which owns the background check services TruthFinder and Instant Checkmate, had a 20 million record breach involving data subject contact information and hashed passwords. The MoveIT hack sparked the fifth largest data breach of the year, a hit on obituary database PBI Research Services that exposed 11 million records. The other member of the top five was a mortgage company.

Lee projects that the number of data breaches will increase again in 2024, with zero day and supply chain attacks again surging. Part of this is owed to attackers making use of new AI tools, which enable them to more quickly search for vulnerabilities. Trends also seem to indicate that companies are closing ranks and sharing only as much information about data breaches as legally required, making it tougher for victims to know how to respond. Lee notes that this is likely to continue as long as there is a general lack of federal requirements in this area, with companies generally operating by whatever rules are in place where their headquarters are located.