Welcome to the Identity Theft Resource Center's Weekly Breach Breakdown for Friday the 13th in October 2023. I'm James Lee and thanks to Sentilink for supporting this podcast.

Each week, we look at the most recent events and trends related to data security and privacy. Today, we’re going over the data compromise stats for the third quarter and year-to-date. If you’re afraid of heights…I suggest you hold on to something and don’t look over the edge.

Show Notes

Follow on LinkedIn: www.linkedin.com/company/idtheftcenter/
Follow on Twitter: twitter.com/IDTheftCenter

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for October 13, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we will go over the findings in our Q3 2023 Data Breach Analysis. If you’re afraid of heights, we suggest you hold on to something and not look over the edge.

New All-Time High in Data Compromises Recorded

By way of context, we ended the calendar year 2021 with the highest number of data compromises ever recorded in the U.S. in a single year – 1,862. For the nine months ending September 30, 2023, there have been 2,116 data compromises reported, including 733 in Q3. That exceeds the previous annual record of data events by 14 percent with three months left in the year.

The Root Cause of Data Compromises

According to the Q3 2023 Data Breach Analysis, cyberattacks continued to be the most frequently reported root cause of a data breach in Q3. However, over half of the breached entities did not report an attack vector. Among those that did, phishing attacks were the most frequently reported cause.

Zero Day Attacks were a close second, followed by a surging number of ransomware attacks and well ahead of malware attacks. However, with more entities not reporting an attack vector than those that did, it is difficult to be precise about the rate of specific attack vectors.

MOVEit Data Event

Supply chain attacks impacted a large number of entities in Q3, even though the organizations may not have been directly attacked. More than 1,300 organizations reported data compromises from an attack against 87 vendors, including many third parties impacted by an attack against MOVEit file transfer software.

So far in 2023, 423 U.S. organizations have been impacted by a single or multiple vendors using a vulnerable MOVEit product. An additional 79 organizations have reported being directly affected by attacks against MOVEit software or services. Four of the top 10 compromises in Q3 were related to a MOVEit attack.

Other Findings & Good News in the Report

The number of Financial Services institutions reporting data compromises jumped dramatically in Q3, with notices exceeding the total number of Financial Service compromises reported in the past two years. Financial institutions also topped the list of industries breached in Q3 for the first time in 15 months.

The good news in the Q3 2023 Data Breach Analysis is the estimated number of victims is still well short of the pace from 2022: 233.9 million through the first nine months of this year compared to 425 million for the full year 2022.

Why an Increase in Data Compromises and Cyberattacks?

Cybersecurity researchers point to the rising number of successful Zero Day attacks – an attack against a software flaw that is previously undisclosed and for which there is no patch – as a reason for the significant increase in data compromises. That conclusion is consistent with this year’s ITRC statistics, where 86 Zero Day Attacks have been reported so far this year as the cause of a data breach, compared to five in all of 2022.

The rise in compromises can also be attributed to a new wave of ransomware attacks as cybercrime groups return after being sidelined in the first year of the war in Ukraine, along with new ransomware groups entering the criminal environment. That is also consistent with the fact the number of data breaches attributed to ransomware (186) has now exceeded the number of malware attacks so far in 2023. However, malware is also up in 2023 with 106 related compromises versus 68 in full-year 2022.

Blackbaud Data Breach Settlement

One last item – an update from the 2020 breach of Blackbaud, a company that resisted issuing data breach notices and instead relied on its customers to issue notices. The company has now settled litigation with the U.S. Securities and Exchange Commission and 49 states for about $53 million and an agreement to put various compliance controls in place.

One interesting note from the multi-state settlement agreement: the ITRC tracked more than 600 Blackbaud customers who issued data breaches. However, this week’s settlement disclosed that 13,000 organizations were impacted by the ransomware attack in 2020. If you were looking for evidence that state data breach laws are ineffective in capturing the true number of breaches, then (with apologies to comedian Bill Engvall) “there’s your sign.”

Contact the ITRC

If you want to know more about how to protect your business or personal information, think you have been the victim of an identity crime, or want more information on the findings in the Q3 2023 Data Breach Analysis, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out the latest episode of our sister podcast, The Fraudian Slip. In two weeks, we’re releasing our annual report on the impact of cyber and identity crimes on small businesses. We will return next week with another episode of the Weekly Breach Breakdown.

Listen On

Also In Season 4