If you’re not in the habit of checking out the reports issued regularly by the Identity Theft Resource Center (ITRC), then you are missing out. This nonprofit organization does a fantastic job of gathering up-to-the-minute information about data breaches, chopping it up and analyzing it in compelling and sometimes surprising ways, and presenting it in clear, easy-to-consume reports that combine well-written prose and well-designed infographics and tables.
Two recent reports that are definitely worth your while are the H1 2023 Data Breach Analysis and the Q1 2023 Data Breach Analysis. Together these reports provide a clear view of the dominant trends in cyberattacks over the past few years.
Total number of attacks exploding
The first thing that jumps out of the H1 2023 report is that the total number of cyberattacks is booming. In fact, that jump in the total number is nearly entirely due to the Q2 numbers. Q1 this year saw 442 compromises, pretty much in line with the same number for previous quarters going back to 2021.
But in Q2, that number leaps to 951, essentially doubling the usual number of compromises. Is that an anomaly, or does it mark the beginning of an upward trend? It’s too soon to say, but one thing is clear: Organizations need to keep their cyber defenses up to date and ensure they’re fully prepared to respond effectively to a successful attack.
Notifications becoming less useful
One unsettling trend is the substantial growth in breach notifications that do not specify the vector that was exploited in the attack. For example, in H1 2021, only 14 out of a total 723 attack notifications lacked this information. But in H1 2023, 523 out of 1,049 breach notifications failed to specify the exploited vector.
It’s hard to know what’s driving this trend, but we can speculate. One possibility is that companies realize that they are not required to release that information as part of their breach notifications, and their legal counsel has identified some kind of liability advantage to be gained by withholding it.
Another possibility may be due to the evolving nature of cyberattacks themselves. Ransomware and other types of attacks increasingly exploit multiple vectors in their effort to penetrate networks, so it may be that at the time that breach notifications are released, victim organizations simply haven’t been able to identify a singular vector for the attack.
Regardless of the reason, one consequence of this trend is that it’s harder for everyone to draw solid conclusions about how best to allocate security resources. Phishing and ransomware still top the list of specified vectors. But that information is less useful now that the number of reports that don’t specify the vector (523) is more than double the number that identify phishing/smishing/BEC (246).
Supply-chain attacks are well established
Supply-chain attacks are based on compromising commonly used software modules that developers often incorporate into their applications. In the past, when applications mostly ran on the server side, such compromises were relatively easy to spot, so there was not so great an incentive for criminals to attempt them.
Now that API-based development is the norm, applications are running — and calling third-party software elements — on the client side, making supply-chain attacks much harder to detect and prevent. And, predictably, this has led to a rise in their numbers. It is notable that in both the first and second quarters of 2023, supply-chain attacks accounted for nearly as many data breaches as ransomware did. Clearly, this is a vector that needs to be taken very seriously by IT security teams.
Healthcare, finance, and manufacturing
As it has been for several years, the healthcare industry continues to be the top sector for cybercriminals to target. Financial services remains a close second. Manufacturing and utilities also traditionally accounts for a sizable number of attacks, but it appears that this sector may be increasing at a faster clip than others.
This can likely be explained by the fact that industrial systems are increasingly being integrated with general IT systems and with the internet and cloud services. As the “industrial internet of things” (IIoT) expands, so do the incentives for cybercriminals to target these systems.
In the past, the primary reason to attack an industrial or utility physical system was sabotage. However, now that they are integrated with IT systems, they offer a vector into the corporate network and an opportunity to steal data. Ensuring that your IIoT systems are fully protected against attack is therefore increasingly important.
A focus on individual victims
A fundamental part of the ITRC’s mission is to inform individual consumers about the risks and costs of identity theft, how to minimize those risks, and how best to respond if they become victims.
And so, while the data that these reports contain is mostly focused on data breaches, it also includes the total number of individuals whose personal information — including financial and healthcare information — has been stolen and may be used for identity theft.
Unfortunately, that number has risen even more dramatically than the total number of breaches — from just over 62 million in H1 2022 to well over 156 million in H1 2023. This means that as individual consumers we must all learn to be extremely vigilant for indications of identity theft, the consequences of which can be extremely severe and costly.