In the first quarter of every year, organizations around the world release reports summing up data breach trends from the previous twelve months. And every year, these reports say broadly the same thing: data breach numbers have gone up again. This year is no different. Or is it?
Compromises Up, Victims Down
However, the Identity Theft Resource Center's (ITRC) Data Breach Report 2023 tells a somewhat more complicated story. The total number of compromises in 2023 rose by 72% since the previous record high in 2021, but the total number of victims fell 16% year-on-year.
In the report's executive summary, Eva Velasquez, ITRC's CEO, really drives the seeming improbability of this contradiction home, noting that "just the increase from the past record high to 2023's number is larger than the annual number of events from 2005 until 2020 (except for 2017)."
But there is, of course, a rational explanation. One might be tempted to think these rather bizarre statistics are indicative of a generally positive trend in data breach protection. But that would be a mistake – all it really suggests is that cybercriminals are getting better at what they do.
According to the report, these numbers are consistent with a general trend of compromise numbers rising and victim numbers falling as attackers focus more on specific information and identity fraud rather than launching mass attacks. The report points to anecdotal evidence suggesting that "identity criminals" are pairing stolen personally identifiable information (PII) with Generative AI tools to create targeted, highly effective phishing scams rather than sending thousands of generic phishing scams in the hope that someone bites.
Supply Chain Attacks on the Rise
Another notable trend from the report involves supply chain attacks. Again, at first glance, we see a contradiction: since 2018, the number of supply chain attacks rose by 195%, while the number of organizations involved in those attacks rose by 2600%. Again, there's a rational explanation for this, but let's first quickly define what a supply chain attack is.
What is a Supply Chain Attack?
A supply chain attack is a cyberattack that targets a company's software or hardware by exploiting vulnerabilities in its supply chain. Rather than attacking the target organization directly, the attacker infiltrates through a third-party supplier or service provider that the target organization relies on. This type of attack has grown in popularity over recent years as cybersecurity awareness has improved and larger organizations bolster their security posture; by targeting a smaller vendor in the larger organization's supply chain, attackers can circumvent the parent company's protections and gain access to their data.
Why were so many Organizations Impacted by Supply Chain Attacks in 2023?
To understand the disproportionate increase in organizations impacted by supply chain attacks compared to the increase in supply chain attacks, it's important we understand the nature of modern supply chains. The fact is, despite disruption brought about by the pandemic and global unrest, contemporary supply chains are incredibly long and complicated, meaning that a single attack on one company can result in hundreds or even thousands of other companies being impacted.
It's also important to understand that supply chain attacks can deliver significant return on investment for cybercriminals. In fact, the larger the supply chain, the greater the potential return on investment. As such, cybercriminals will deliberately target organizations with long, far-reaching supply chains, launching a single attack to breach numerous organizations.
Dodgy Breach Notices
The report also found that nearly half (46% of private companies, government agencies, educational institutions, and nonprofit organizations, and 47% of public companies) withheld actionable information about a data breach in 2023. This is an extremely concerning statistic. Without this information, individual victims are more likely to experience the negative consequences of a data breach.
In their report, ITRC suggests that uniform breach notice laws would remediate this issue. This is an alarm bell the company has been ringing for some time now – Velasquez has been criticizing companies for inadequate breach notices since at least 2021. ITRC argues that as data breach notice laws differ across all 50 US states, there is far too much discrepancy in what triggers a breach notice and what needs to be included in one. As a result, some organizations struggle with what to include in a breach notice or even deliberately withhold information in an attempt to mitigate reputational damage.
All in all, we can take three key ideas from the ITRC report: cybercriminals are increasingly targeting specific individuals and organizations rather than launching mass attacks, supply chain attacks are only likely to become more common and more impactful, and the cybersecurity industry will increasingly call for uniform breach notice laws in the US.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.