By Chris Morris
Cyberattacks are becoming more prevalent in 2023—and it’s no longer a matter of whether this year will record a record number of data breaches, it’s more a question of how high that number will be.
As of the end of September, corporations had reported 2,116 data compromises for the year, according to the Identity Theft Resource Center (ITRC). That’s already higher than the previous annual record of 1,862, set in 2021. And the fourth quarter is already off to a rollicking start, with the high-profile hack of 23andMe, which could impact millions of the company’s customers.
The third quarter saw 733 total reported compromises, affecting 66,658,764 people. Financial services was the most-attacked sector, topping healthcare for the first time since Q2 2022. That could be because the number of financial institutions reporting data compromises spiked in the third quarter. All totaled, 204 notices were issued, which is more than the 135 total of reported compromises in financial service businesses in the past two years.
Healthcare companies reported 113 data compromises in Q3. No other Industry reported compromise rates in triple digits.
“While setting a record for the number of data breaches is attention-grabbing, unfortunately, it is not surprising,” ITRC president and CEO Eva Velasquez said in a statement. “There are a handful of reasons for the rise in data compromises, ranging from the drastic uptick in Zero-Day attacks to a new wave of ransomware attacks as new ransomware groups enter the criminal identity marketplace.”
One piece of good news: Despite a record number of breaches, the total number of victims, so far, is well off a record pace. Through the first three quarters of the year, there have been 233.9 million estimated victims versus the 425 million at this time in 2022. (2022 included some very large breaches, including Twitter and AT&T.)
Increasing risks
The data breaches in the ITRC’s report range from ransomware to phishing attacks to malware infections. Those can result in everything from companies being shut out of their systems—such as the MGM ransomware attacks that severely impacted Las Vegas—to financially impacting individuals whose identities are sold on the Dark Web.
What’s even more worrisome is that the actual number of breaches and victims is likely much higher than the ITRC’s data shows. Officials at the ITRC note that transparency about attacks continues to get worse. And data breach notices, when filed, often lack details about how companies were compromised and victim details.
“Underreporting and a lack of transparency continues to be a concern, as demonstrated by the fact that more than half (53%) of breach notices in Q3 did not include actionable information about the compromise,” says James Lee, ITRC’s COO. “We also have new, clear evidence that companies are simply making a decision to not report a breach when they do not believe a person is at risk—a decision nearly all state breach-notice laws allow the breached entity to make. If they determine there is no risk, then, generally, no notice is required.”
To put the data into perspective, there have been about 18,000 reported data breach notices in the U.S. since data breach laws went into effect 20 years ago. In the European Union, where the General Data Protection Regulation (GDPR) requires data breach notices, there are about 350,000 notices issued each year.
(2)
